| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Apply Retention Labels Automatically | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md | Exchange: SharePoint and OneDrive: -|Condition|New or modified items |Existing items (data at rest)| +|Condition|New or modified items |Existing items | |:--|:--|:--| |Sensitive info types - built-in| Yes | Yes | |Sensitive info types - custom| Yes | No | |
| compliance | Apply Sensitivity Label Automatically | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md | There are two different methods for automatically applying a sensitivity label t Specific to auto-labeling for SharePoint and OneDrive: - Office files for Word (.docx), PowerPoint (.pptx), and Excel (.xlsx) are supported.- - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open). + - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they're part of an open session (the file is open). - Currently, attachments to list items aren't supported and won't be auto-labeled. - Maximum of 25,000 automatically labeled files in your tenant per day.- - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when they are specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum. + - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when they're specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum. - Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied. - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file. If this account is no longer in Azure Active Directory, the label won't be applied because these values can't be set. There are two different methods for automatically applying a sensitivity label t - Unlike manual labeling or auto-labeling with Office apps, PDF attachments as well as Office attachments are also scanned for the conditions you specify in your auto-labeling policy. When there is a match, the email is labeled but not the attachment. - For PDF files, if the label applies encryption, these files are encrypted by using [Office 365 Message Encryption (OME)](ome.md) when your tenant is [enabled for PDF attachments](ome-faq.yml#are-pdf-file-attachments-supported-).- - For these Office files, Word, PowerPoint, and Excel are supported. If the label applies encryption, they are encrypted by using [Office 365 Message Encryption (OME)](ome.md). + - For these Office files, Word, PowerPoint, and Excel are supported. If the label applies encryption, they're encrypted by using [Office 365 Message Encryption (OME)](ome.md). - If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label. - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling. - Incoming email is labeled when there is a match with your auto-labeling conditions. If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption is applied when the sender is from your organization but not applied when the sender is outside your organization. Make sure you're aware of the prerequisites before you configure auto-labeling p - One or more sensitivity labels [created and published](create-sensitivity-labels.md) (to at least one user) that you can select for your auto-labeling policies. For these labels: - It doesn't matter if the auto-labeling in Office apps label setting is turned on or off, because that label setting supplements auto-labeling policies, as explained in the introduction.- - If the labels you want to use for auto-labeling are configured to use visual markings (headers, footers, watermarks), note that these are not applied to documents. + - If the labels you want to use for auto-labeling are configured to use visual markings (headers, footers, watermarks), note that these aren't applied to documents. - If the labels apply [encryption](encryption-sensitivity-labels.md): - When the auto-labeling policy includes locations for SharePoint or OneDrive, the label must be configured for the **Assign permissions now** setting. - When the auto-labeling policy is just for Exchange, the label can be configured for either **Assign permissions now** or **Let users assign permissions** (for the Do Not Forward or Encrypt-Only options). Make sure you're aware of the prerequisites before you configure auto-labeling p Simulation mode is unique to auto-labeling policies and woven into the workflow. You can't automatically label documents and emails until your policy has run at least one simulation. -Simulation mode supports up to 1,000,000 matched files. If more than this number of files are matched from an auto-labeling policy, you can't turn on the policy to apply the labels. In this case, you must reconfigure the auto-labeling policy so that fewer files are matched, and re-run simulation. This maximum of 1,000,000 matched files applies to simulation mode only and not to an auto-labeling policy that's already turned on to apply sensitivity labels. +Simulation mode supports up to 1,000,000 matched files. If more than this number of files are matched from an auto-labeling policy, you can't turn on the policy to apply the labels. In this case, you must reconfigure the auto-labeling policy so that fewer files are matched, and rerun simulation. This maximum of 1,000,000 matched files applies to simulation mode only and not to an auto-labeling policy that's already turned on to apply sensitivity labels. Workflow for an auto-labeling policy: Workflow for an auto-labeling policy: 5. Deploy in production. -The simulated deployment runs like the WhatIf parameter for PowerShell. You see results reported as if the auto-labeling policy had applied your selected label, using the rules that you defined. You can then refine your rules for accuracy if needed, and rerun the simulation. However, because auto-labeling for Exchange applies to emails that are sent and received, rather than emails stored in mailboxes, don't expect results for email in a simulation to be consistent unless you're able to send and receive the exact same email messages. +The simulated deployment runs like the WhatIf parameter for PowerShell. You see results reported as if the auto-labeling policy had applied your selected label, using the rules that you defined. You can then refine your rules for accuracy if needed, and rerun the simulation. However, because auto-labeling for Exchange applies to emails that are sent and received, rather than emails stored in mailboxes, don't expect results for email in a simulation to be consistent unless you can send and receive the exact same email messages. Simulation mode also lets you gradually increase the scope of your auto-labeling policy before deployment. For example, you might start with a single location, such as a SharePoint site, with a single document library. Then, with iterative changes, increase the scope to multiple sites, and then to another location, such as OneDrive. Finally, you can use simulation mode to provide an approximation of the time nee  To specify individual OneDrive accounts, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls).+ + > [!NOTE] + > When [OneDrive accounts are deleted](/onedrive/retention-and-deletion#the-onedrive-deletion-process) (for example, an employee leaves the organization) the location gets marked as a SharePoint site to support continued access during the OneDrive retention period. + > + > At this stage of deletion, files in the OneDrive account won't be included in the **All** setting for the **OneDrive accounts** location but will be included in the **All** setting for the **SharePoint sites** location. Any files from these deleted OneDrive accounts display SharePoint as their source location in the simulation results and auditing data. 7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, select **Advanced rules**. Then select **Next**. Finally, you can use simulation mode to provide an approximation of the time nee - For sensitive information types, you can select both built-in and custom sensitive information types. - For the shared options, you can choose **only with people inside my organization** or **with people outside my organization**. - If your only location is **Exchange**, or if you select **Advanced rules**, there are additional conditions that you can select: + If your only location is **Exchange**, or if you select **Advanced rules**, there are other conditions that you can select: - Sender IP address is - Recipient domain is - Recipient is Finally, you can use simulation mode to provide an approximation of the time nee The configuration options for sensitive information types are the same as those you select for auto-labeling for Office apps. If you need more information, see [Configuring sensitive info types for a label](#configuring-sensitive-info-types-for-a-label). - When you have defined all the rules you need, and confirmed their status is on, select **Next** to move on to choosing a label to auto-apply. + When you've defined all the rules you need, and confirmed their status is on, select **Next** to move on to choosing a label to auto-apply. 9. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**. You can modify your policy directly from this interface: When you're ready to run the policy without simulation, select the **Turn on policy** option. -Auto-policies run continuously until they are deleted. For example, new and modified files will be included with the current policy settings. +Auto-policies run continuously until they're deleted. For example, new and modified files will be included with the current policy settings. ### Monitoring your auto-labeling policy -After your auto-labeling policy is turned on, you can view the labeling progress for files in your chosen SharePoint and OneDrive locations. Emails are not included in the labeling progress because they are automatically labeled as they are sent. +After your auto-labeling policy is turned on, you can view the labeling progress for files in your chosen SharePoint and OneDrive locations. Emails aren't included in the labeling progress because they're automatically labeled as they're sent. The labeling progress includes the files to be labeled by the policy, the files labeled in the last 7 days, and the total files labeled. Because of the maximum of labeling 25,000 files a day, this information provides you with visibility into the current labeling progress for your policy and how many files are still to be labeled. -When you first turn on your policy, you will initially see a value of 0 for files to be labeled until the latest data is retrieved. This progress information updates every 48 hours, so you can expect to see the most current data about every other day. When you select an auto-labeling policy, you can see more details about the policy in a flyout pane, which includes the labeling progress by the top 10 sites. The information on this flyout pane might be more current than the aggregated policy information displayed on the **Auto-labeling** main page. +When you first turn on your policy, you initially see a value of 0 for files to be labeled until the latest data is retrieved. This progress information updates every 48 hours, so you can expect to see the most current data about every other day. When you select an auto-labeling policy, you can see more details about the policy in a flyout pane, which includes the labeling progress by the top 10 sites. The information on this flyout pane might be more current than the aggregated policy information displayed on the **Auto-labeling** main page. You can also see the results of your auto-labeling policy by using [content explorer](data-classification-content-explorer.md) when you have the appropriate [permissions](data-classification-content-explorer.md#permissions): New-AutoSensitivityLabelPolicy -Name <AutoLabelingPolicyName> -SharePointLocatio This command creates an auto-labeling policy for a SharePoint site that you specify. For a OneDrive location, use the *OneDriveLocation* parameter, instead. -To add additional sites to an existing auto-labeling policy: +To add more sites to an existing auto-labeling policy: ```powershell $spoLocations = @("<SharePointSiteLocation1>","<SharePointSiteLocation2>") Set-AutoSensitivityLabelPolicy -Identity <AutoLabelingPolicyName> -AddSharePointLocation $spoLocations -ApplySensitivityLabel <Label> -Mode TestWithoutNotifications ``` -This command specifies the additional SharePoint URLs in a variable that is then added to an existing auto-labeling policy. To add OneDrive locations instead, use the *AddOneDriveLocation* parameter with a different variable, such as *$OneDriveLocations*. +This command specifies the new SharePoint URLs in a variable that is then added to an existing auto-labeling policy. To add OneDrive locations instead, use the *AddOneDriveLocation* parameter with a different variable, such as *$OneDriveLocations*. To create a new auto-labeling policy rule: For more information about the PowerShell cmdlets that support auto-labeling pol ## Tips to increase labeling reach -Although auto-labeling is one of the most efficient ways to classify, label, and protect Office files that your organization owns, check whether you can supplement it with any of the additional methods to increase your labeling reach: +Although auto-labeling is one of the most efficient ways to classify, label, and protect Office files that your organization owns, check whether you can supplement it with any of the following methods to increase your labeling reach: - With SharePoint Syntex, you can [apply a sensitivity label to a document understanding model](/microsoft-365/contentunderstanding/apply-a-sensitivity-label-to-a-model), so that identified documents in a SharePoint library are automatically labeled. - When you use the [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2): - - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you are planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud. + - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you're planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud. - - If you have used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions. + - If you've used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions. - Encourage [manual labeling](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) after providing users with training which sensitivity labels to apply. When you're confident that users understand which label to apply, consider configuring a default label and mandatory labeling as [policy settings](sensitivity-labels.md#what-label-policies-can-do). |
| compliance | Compliance Easy Trials Compliance Playbook | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials-compliance-playbook.md | description: "Microsoft 365 compliance solutions trial playbook." # Trial playbook: Microsoft 365 Compliance solutions -Welcome to the Microsoft 365 compliance solutions trial playbook. ​This playbook will help you make the most of your 90-day free trial by helping you discover robust and comprehensive capabilities of Microsoft 365 compliance and security products. ​ -​ -Trying each solution will help you make informed decisions to meet your organization’s compliance needs.​ +Welcome to the Microsoft 365 compliance solutions trial playbook. This playbook will help you make the most of your 90-day free trial by helping you discover robust and comprehensive capabilities of Microsoft 365 compliance and security products. ++Trying each solution will help you make informed decisions to meet your organization’s compliance needs. Features: Features: Optional add-ons: - [Compliance Manager premium assessments](#compliance-manager-premium-assessments)-- [Privacy Management](#privacy-management)+- [Microsoft Priva Privacy Risk Management and Microsoft Priva Subject Rights Requests](#microsoft-priva-privacy-risk-management-and-microsoft-priva-subject-rights-requests) ## Compliance Actions with Microsoft 365 -Easily and quickly start trying Microsoft’s compliance solutions without changing your organization’s meta data. Depending on your priorities, you can start with any of these solution areas to see immediate value. Below are five top organizational concerns as communicated by our customers and recommended solutions to start with. +Easily and quickly start trying Microsoft’s compliance solutions without changing your organization’s meta data. Depending on your priorities, you can start with any of these solution areas to see immediate value. Below are five top organizational concerns as communicated by our customers and recommended solutions to start with. :::image type="content" source="../media/compliance-trial/workflow.png" alt-text="Compliance actions with Microsoft 365"::: Easily and quickly start trying Microsoft’s compliance solutions without chang Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention required to conduct an investigation, providing access to crucial events that help determine scope of compromise, and providing faster access to the Office 365 Management Activity API. -### Step 1: [Apply the E5 license to each user for which you’d like to generate E5 events​](set-up-advanced-audit.md#step-1-set-up-advanced-audit-for-users) +### Step 1: [Apply the E5 license to each user for which you’d like to generate E5 events](set-up-advanced-audit.md#step-1-set-up-advanced-audit-for-users) > [!TIP] > Trial best practice: Day 1 Advanced Audit features such as the ability to log crucial events such as MailItemsAccessed and Send require an appropriate E5 license assigned to users. Additionally, the Advanced Auditing app/service plan must be enabled for those users. -Set up Advanced Audit for users - to verify that the Advanced Auditing app is assigned to users, [perform the following steps for each user](set-up-advanced-audit.md#step-1-set-up-advanced-audit-for-users).​ +Set up Advanced Audit for users - to verify that the Advanced Auditing app is assigned to users, [perform the following steps for each user](set-up-advanced-audit.md#step-1-set-up-advanced-audit-for-users). -1. Enable Advanced Audit events - [enable SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint](set-up-advanced-audit.md#step-2-enable-advanced-audit-events) to be audited for each user in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).​ -1. Set up audit retention policies - [create additional audit log retention policies](set-up-advanced-audit.md#step-3-set-up-audit-retention-policies) to meet the requirements of your organization's security operations, IT, and compliance teams. ​ -1. Search for Advanced Audit events - [search for crucial Advanced Audit events](set-up-advanced-audit.md#step-4-search-for-advanced-audit-events) and other activities when conducting forensic investigations​ +1. Enable Advanced Audit events - [enable SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint](set-up-advanced-audit.md#step-2-enable-advanced-audit-events) to be audited for each user in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +1. Set up audit retention policies - [create additional audit log retention policies](set-up-advanced-audit.md#step-3-set-up-audit-retention-policies) to meet the requirements of your organization's security operations, IT, and compliance teams. +1. Search for Advanced Audit events - [search for crucial Advanced Audit events](set-up-advanced-audit.md#step-4-search-for-advanced-audit-events) and other activities when conducting forensic investigations. ### Step 2: [Create new Audit Log policies to specify how long to retain audit logs in your org for activities performed by users and define priority levels for your policies​](audit-log-retention-policies.md#before-you-create-an-audit-log-retention-policy) > [!TIP] > Trial best practice: Create within the first 30 days -Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization.​ +Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization. -1. Before you create an audit log retention policy – [key things to know](audit-log-retention-policies.md#before-you-create-an-audit-log-retention-policy) before creating your policy.​ +1. Before you create an audit log retention policy – [key things to know](audit-log-retention-policies.md#before-you-create-an-audit-log-retention-policy) before creating your policy. 1. [Create an audit log retention policy​](audit-log-retention-policies.md#create-an-audit-log-retention-policy)-1. [Manage audit log retention policies in the Microsoft 365 compliance center](audit-log-retention-policies.md#manage-audit-log-retention-policies-in-the-microsoft-365-compliance-center) - Audit log retention policies are listed on the Audit retention policies tab (also called the dashboard). You can use the dashboard to view, edit, and delete audit retention policies. ​ -1. Create and manage audit log retention policies on PowerShell - You can also use Security & Compliance Center PowerShell to [create and manage audit log retention policies](audit-log-retention-policies.md#create-and-manage-audit-log-retention-policies-in-powershell). One reason to use PowerShell is to create a policy for a record type or activity that isn't available in the UI.​ +1. [Manage audit log retention policies in the Microsoft 365 compliance center](audit-log-retention-policies.md#manage-audit-log-retention-policies-in-the-microsoft-365-compliance-center) - Audit log retention policies are listed on the Audit retention policies tab (also called the dashboard). You can use the dashboard to view, edit, and delete audit retention policies. +1. Create and manage audit log retention policies on PowerShell - You can also use Security & Compliance Center PowerShell to [create and manage audit log retention policies](audit-log-retention-policies.md#create-and-manage-audit-log-retention-policies-in-powershell). One reason to use PowerShell is to create a policy for a record type or activity that isn't available in the UI. ## Communication Compliance Audit log retention policies are part of the new Advanced Audit capabilities in Communication compliance helps you intelligently identify communication violations to support a compliant and healthy work environment by helping you detect inappropriate messages, investigate possible policy violations, and take steps to remediate. -### Step 1: [Enable permissions for communication compliance​](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance) +### Step 1: [Enable permissions for communication compliance](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance) > [!TIP] > Trial best practice: Day 1 -[Assign all compliance users to the Communication Compliance role group](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance).​ +[Assign all compliance users to the Communication Compliance role group](communication-compliance-configure.md#step-1-required-enable-permissions-for-communication-compliance). ### Step 2: [Enable the audit log​](communication-compliance-configure.md#step-2-required-enable-the-audit-log) > [!TIP] > Trial best practice: Setup within the first 30 days -To use this feature, turn on auditing so your organization can start recording user and admin activity in your org. When you turn this on, activity will be recorded to the audit log and available to view in a report. ​To learn more, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). +To use this feature, turn on auditing so your organization can start recording user and admin activity in your org. When you turn this on, activity will be recorded to the audit log and available to view in a report. To learn more, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). ### Step 3: [Create a communication compliance policy](communication-compliance-policies.md) -[Create communication compliance policy using the existing templates](communication-compliance-policies.md): 1- Inappropriate content; 2- Sensitive information; 3- Regulatory compliance; 4- Conflict of interest.​ +[Create communication compliance policy using the existing templates](communication-compliance-policies.md): 1- Inappropriate content; 2- Sensitive information; 3- Regulatory compliance; 4- Conflict of interest. -### Step 4: [Investigate and remediate alerts​](communication-compliance-investigate-remediate.md) +### Step 4: [Investigate and remediate alerts](communication-compliance-investigate-remediate.md) -[Investigate and remediate](communication-compliance-investigate-remediate.md) communication compliance alerts.​ +[Investigate and remediate](communication-compliance-investigate-remediate.md) communication compliance alerts. ## Compliance Manager Compliance Manager can help you throughout your compliance journey, from taking > [!TIP] > Trial best practice: Day 1 -Our Compliance Manager overview page is the best first stop for a comprehensive review of what Compliance Manager is and how it works. You may also want to jump right to key sections of our documentation using the links below:​ +Our Compliance Manager overview page is the best first stop for a comprehensive review of what Compliance Manager is and how it works. You may also want to jump right to key sections of our documentation using the links below: -- [Understand your compliance score​](compliance-manager.md#understanding-your-compliance-score)-- [Overview of key elements: controls, assessments, templates, and improvement actions​](compliance-manager.md#key-elements-controls-assessments-templates-improvement-actions)-- [Understand the Compliance Manager dashboard​](compliance-manager-setup.md#understand-the-compliance-manager-dashboard)-- [Filter your dashboard view​](compliance-manager-setup.md#filtering-your-dashboard-view)-- [Learn about improvement actions​](compliance-manager-setup.md#improvement-actions-page)-- [Understand assessments​](compliance-manager.md#assessments)-- [Do a quick scan of your environment using the Microsoft Compliance Configuration Manager​](compliance-manager-mcca.md)+- [Understand your compliance score](compliance-manager.md#understanding-your-compliance-score) +- [Overview of key elements: controls, assessments, templates, and improvement actions](compliance-manager.md#key-elements-controls-assessments-templates-improvement-actions) +- [Understand the Compliance Manager dashboard](compliance-manager-setup.md#understand-the-compliance-manager-dashboard) +- [Filter your dashboard view](compliance-manager-setup.md#filtering-your-dashboard-view) +- [Learn about improvement actions](compliance-manager-setup.md#improvement-actions-page) +- [Understand assessments](compliance-manager.md#assessments) +- [Do a quick scan of your environment using the Microsoft Compliance Configuration Manager](compliance-manager-mcca.md)  Our Compliance Manager overview page is the best first stop for a comprehensive Start working with assessments and taking improvement actions to implement controls and improve your compliance score. -1. [Choose a pre-built template to create and manage your first assessment](compliance-manager-assessments.md).​ -1. [Understand how to use templates for building assessments](compliance-manager-templates.md).​ -1. [Perform implementation and testing work on improvement actions to complete controls in your assessments](compliance-manager-improvement-actions.md).​ -1. [Better understand how different actions impact your compliance score](compliance-score-calculation.md).​ +1. [Choose a pre-built template to create and manage your first assessment](compliance-manager-assessments.md). +1. [Understand how to use templates for building assessments](compliance-manager-templates.md). +1. [Perform implementation and testing work on improvement actions to complete controls in your assessments](compliance-manager-improvement-actions.md). +1. [Better understand how different actions impact your compliance score](compliance-score-calculation.md). > [!NOTE] > Microsoft 365 or Office 365 E1/E3 subscription includes Microsoft Data Protection Baseline template. Microsoft 365 or Office 365 E5, E5 Compliance includes templates for: Start working with assessments and taking improvement actions to implement contr ### Step 3: [Scaling up: use advanced functionality to meet your custom needs​](compliance-manager-templates-create.md) -Custom assessments are helpful for:​ +Custom assessments are helpful for: -- Managing compliance for non-Microsoft 365 products such as third-party apps and services, on-premises applications, and other assets​+- Managing compliance for non-Microsoft 365 products such as third-party apps and services, on-premises applications, and other assets - Managing your own custom or business-specific compliance controls -1. [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates-extend.md)​ -1. [Create your own custom template​](compliance-manager-templates-create.md) -1. [Modify an existing template to add or remove controls and actions​](compliance-manager-templates-modify.md) -1. [Set up automated testing of improvement actions​](compliance-manager-setup.md#set-up-automated-testing) -1. [Reassign improvement actions to another user​](compliance-manager-setup.md#reassign-improvement-actions-to-another-user) +1. [Extend a Compliance Manager template by adding your own controls and improvement actions](compliance-manager-templates-extend.md) +1. [Create your own custom template](compliance-manager-templates-create.md) +1. [Modify an existing template to add or remove controls and actions](compliance-manager-templates-modify.md) +1. [Set up automated testing of improvement actions](compliance-manager-setup.md#set-up-automated-testing) +1. [Reassign improvement actions to another user](compliance-manager-setup.md#reassign-improvement-actions-to-another-user) ## Data Loss Prevention To comply with business standards and industry regulations, organizations need t If your organization has data loss prevention (DLP), you can define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session. -1. Learn about [DLP Licensing for Microsoft Teams and the scope of DLP protection​](dlp-microsoft-teams.md#dlp-licensing-for-microsoft-teams) -1. [Add Microsoft Teams as a location to existing DLP policies​](dlp-microsoft-teams.md#add-microsoft-teams-as-a-location-to-existing-dlp-policies) -1. [Configure our default DLP policy for Teams](mip-easy-trials.md) or [Define a new DLP policy for Microsoft Teams​](dlp-microsoft-teams.md#define-a-new-dlp-policy-for-microsoft-teams) +1. Learn about [DLP Licensing for Microsoft Teams and the scope of DLP protection](dlp-microsoft-teams.md#dlp-licensing-for-microsoft-teams) +1. [Add Microsoft Teams as a location to existing DLP policies](dlp-microsoft-teams.md#add-microsoft-teams-as-a-location-to-existing-dlp-policies) +1. [Configure our default DLP policy for Teams](mip-easy-trials.md) or [Define a new DLP policy for Microsoft Teams](dlp-microsoft-teams.md#define-a-new-dlp-policy-for-microsoft-teams) -### Step 2: [Protect data loss on device locations​](endpoint-dlp-getting-started.md) +### Step 2: [Protect data loss on device locations](endpoint-dlp-getting-started.md) > [!TIP] > Trial best practice: Setup within the first 30 days Microsoft Endpoint DLP allows you to monitor Windows 10 devices and detect when sensitive items are used and shared. -1. Prepare your endpoints - make sure that the Windows 10 and macOS devices that you plan on deploying Endpoint DLP to [meet these requirements​](endpoint-dlp-getting-started.md) -1. [Onboard devices into device management](endpoint-dlp-getting-started.md) - You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft 365 Compliance portal.​ - - Scenario 1 – [Onboarding devices](endpoint-dlp-getting-started.md) that have not been onboarded yet.​ - - Scenario 2 - [Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in](endpoint-dlp-getting-started.md). All these endpoints will appear in the managed devices list. ​ -1. [Configure our default DLP policy for devices](mip-easy-trials.md#dlp-for-devices) or [Define a new DLP policy for devices​](endpoint-dlp-learn-about.md) -1. [View Endpoint DLP alerts](dlp-configure-view-alerts-policies.md) in DLP Alerts Management dashboard​ -1. [View Endpoint DLP data](data-classification-activity-explorer.md) in activity explorer​ +1. Prepare your endpoints - make sure that the Windows 10 and macOS devices that you plan on deploying Endpoint DLP to [meet these requirements](endpoint-dlp-getting-started.md) +1. [Onboard devices into device management](endpoint-dlp-getting-started.md) - You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft 365 Compliance portal. + - Scenario 1 – [Onboarding devices](endpoint-dlp-getting-started.md) that have not been onboarded yet. + - Scenario 2 - [Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in](endpoint-dlp-getting-started.md). All these endpoints will appear in the managed devices list. +1. [Configure our default DLP policy for devices](mip-easy-trials.md#dlp-for-devices) or [Define a new DLP policy for devices](endpoint-dlp-learn-about.md). +1. [View Endpoint DLP alerts](dlp-configure-view-alerts-policies.md) in DLP Alerts Management dashboard. +1. [View Endpoint DLP data](data-classification-activity-explorer.md) in activity explorer. ### Step 3: [Expand policies in scope or protection​](dlp-learn-about-dlp.md#dlp-policy-configuration-overview) You have flexibility in how you configure your DLP policies. You can start with our default DLP policy for Teams and devices and expand those policies to protect additional locations, sensitive information types, or labels. In addition, you can expand upon the policy actions and customize alerting. -1. Add locations​ -1. Add sensitive information types or labels to protect​ -1. Add actions​ - - Teams: ​ - - [Prevent external access to sensitive documents​](dlp-microsoft-teams.md#prevent-external-access-to-sensitive-documents) - - [Get policy tips to help educate users and instructions for customizing policy tips​](dlp-microsoft-teams.md#policy-tips-help-educate-users) - - Devices: switch from audit only to block​ +1. Add locations +1. Add sensitive information types or labels to protect +1. Add actions + - Teams: + - [Prevent external access to sensitive documents](dlp-microsoft-teams.md#prevent-external-access-to-sensitive-documents) + - [Get policy tips to help educate users and instructions for customizing policy tips](dlp-microsoft-teams.md#policy-tips-help-educate-users) + - Devices: switch from audit only to block 1. [Configure and view alerts for data loss prevention policies - Microsoft 365 Compliance | Microsoft Docs](dlp-configure-view-alerts-policies.md) ## eDiscovery You have flexibility in how you configure your DLP policies. You can start with Take advantage of an end-to-end workflow for preserving, collecting, analyzing, and exporting content that’s responsive to your organization’s internal and external investigations. Legal teams can also manage the entire legal hold notification process by communicating with custodians involved in a case. -### Step 1 (required): [Permissions​](https://aka.ms/ediscoveryninja) +### Step 1 (required): [Permissions](https://aka.ms/ediscoveryninja) > [!TIP] > Trial best practice: Day 1 To access Advanced eDiscovery or be added as a member of an Advanced eDiscovery More organizations use the Advanced eDiscovery solution in Microsoft 365 for critical eDiscovery processes. This includes responding to regulatory requests, investigations, and litigation. -1. Manage Advanced eDiscovery – [learn how to configure Advanced eDiscovery, manage cases by using the Security & Compliance Center, manage a workflow in Advanced eDiscovery, and analyze Advanced eDiscovery search results](/learn/modules/manage-advanced-ediscovery).​ -1. [Create an eDiscovery case using Advance eDiscovery's new case format​](advanced-ediscovery-new-case-format.md) +1. Manage Advanced eDiscovery – [learn how to configure Advanced eDiscovery, manage cases by using the Security & Compliance Center, manage a workflow in Advanced eDiscovery, and analyze Advanced eDiscovery search results](/learn/modules/manage-advanced-ediscovery). +1. [Create an eDiscovery case using Advance eDiscovery's new case format](advanced-ediscovery-new-case-format.md) 1. [Close or delete a case](close-or-delete-case.md) - When the legal case or investigation is completed, you can close or delete. You can also reopen a closed case. -### Step 3 (optional): Settings​ +### Step 3 (optional): Settings To allow people in your organization start to create and use cases, you must configure global settings that apply to all cases in your organization. At this time, the only global setting is **attorney-client privilege detection** (more global settings will be available in the future). 1. [Set up Advanced eDiscovery – Global Settings](get-started-with-advanced-ediscovery.md#step-3-configure-global-settings-for-advanced-ediscovery)-1. [Configure search and analytics settings​](configure-search-and-analytics-settings-in-advanced-ediscovery.md) -1. [Manage jobs in Advanced eDiscovery​](managing-jobs-ediscovery20.md) +1. [Configure search and analytics settings](configure-search-and-analytics-settings-in-advanced-ediscovery.md) +1. [Manage jobs in Advanced eDiscovery](managing-jobs-ediscovery20.md) -### Step 4 (optional): [Compliance Boundaries​](set-up-compliance-boundaries.md) +### Step 4 (optional): [Compliance Boundaries](set-up-compliance-boundaries.md) Compliance boundaries create logical boundaries within an organization that control the user content locations (such as mailboxes, OneDrive accounts, and SharePoint sites) that eDiscovery managers can search. They also control who can access eDiscovery cases used to manage the legal, human resources, or other investigations within your organization.  -Set up compliance boundaries for eDiscovery investigations: ​ +Set up compliance boundaries for eDiscovery investigations: -1. [Identify a user attribute to define your agencies​](set-up-compliance-boundaries.md#step-1-identify-a-user-attribute-to-define-your-agencies) -1. [Create a role group for each agency​](set-up-compliance-boundaries.md#step-2-create-a-role-group-for-each-agency) -1. [Create a search permissions filter to enforce the compliance boundary​](set-up-compliance-boundaries.md#step-3-create-a-search-permissions-filter-to-enforce-the-compliance-boundary) +1. [Identify a user attribute to define your agencies](set-up-compliance-boundaries.md#step-1-identify-a-user-attribute-to-define-your-agencies) +1. [Create a role group for each agency](set-up-compliance-boundaries.md#step-2-create-a-role-group-for-each-agency) +1. [Create a search permissions filter to enforce the compliance boundary](set-up-compliance-boundaries.md#step-3-create-a-search-permissions-filter-to-enforce-the-compliance-boundary) 1. [Create an eDiscovery case for an intra-agency investigations](set-up-compliance-boundaries.md#step-4-create-an-ediscovery-case-for-intra-agency-investigations) -### Step 5 (optional): [Learn about Content search tool​](search-for-content.md) +### Step 5 (optional): [Learn about Content search tool](search-for-content.md) Use the Content search tool in the Microsoft 365 compliance center to quickly find email in Exchange mailboxes, documents in SharePoint sites and OneDrive locations, and instant messaging conversations in Skype for Business. You can use the content search tool to search for email, documents, and instant messaging conversations in collaboration tools such as Microsoft Teams and Microsoft 365 Groups. Implement Microsoft Information Protection and sensitivity labels, to help you d Eligible customers can activate default labels and policies for Microsoft Information Protection. When you enable the default configuration in the trial, it will take about 2 minutes to configure all policies for your tenant and up to 24 hours to see the results of these default policies. -Choosing the default configuration, with 1-click, the following is automatically configured: ​ +Choosing the default configuration, with 1-click, the following is automatically configured: -- Sensitivity labels and a sensitivity label policy​-- Client-side auto-labeling​-- Service-side auto-labeling​-- Data loss prevention (DLP) policies for Teams and devices​+- Sensitivity labels and a sensitivity label policy +- Client-side auto-labeling +- Service-side auto-labeling +- Data loss prevention (DLP) policies for Teams and devices -[Activate the default labels and policies](mip-easy-trials.md#activate-the-default-labels-and-policies). ​If necessary, you can edit manually after the configuration is complete. +[Activate the default labels and policies](mip-easy-trials.md#activate-the-default-labels-and-policies). If necessary, you can edit manually after the configuration is complete. ### Step 2: [Automatically apply sensitivity labels to documents](apply-sensitivity-label-automatically.md) Choosing the default configuration, with 1-click, the following is automatically When you create a sensitivity label, you can automatically assign that label to files and emails when it matches conditions that you specify. -1. [Create and configure sensitivity labels​](create-sensitivity-labels.md#create-and-configure-sensitivity-labels) -1. [Publish sensitivity label policy to all users​](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) -1. [Create an auto-labeling policy​](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) - - Choose info you want label applied to​ - - Define locations to apply label​ - - Select label to apply​ - - [Run policy in simulation mode​](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) +1. [Create and configure sensitivity labels](create-sensitivity-labels.md#create-and-configure-sensitivity-labels) +1. [Publish sensitivity label policy to all users](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) +1. [Create an auto-labeling policy](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) + - Choose info you want label applied to + - Define locations to apply label + - Select label to apply + - [Run policy in simulation mode](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy)  ### Step 3: [Review and turn on auto-labeling policy](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) -Now on the **Information protection** > **Auto-labeling** page, you see your auto-labeling policy in the **Simulation** section. ​ +Now on the **Information protection** > **Auto-labeling** page, you see your auto-labeling policy in the **Simulation** section. Select your policy to see the details of the configuration and status. When the simulation is complete, select the Items to review tab to see which emails or documents matched the rules that are specified. When you're ready to run the policy without simulation, select the **Turn on pol Leverage artificial intelligence to help you quickly identify, triage, and remediate internal risks. Using logs from Microsoft 365 and Azure services, you can define policies that monitor for insider risk signals, then take remediation actions such as promoting user education or initiating an investigation. -### Step 1 (required): [Enable permissions for insider risk management​](insider-risk-management-configure.md#step-1-required-enable-permissions-for-insider-risk-management) +### Step 1 (required): [Enable permissions for insider risk management](insider-risk-management-configure.md#step-1-required-enable-permissions-for-insider-risk-management) > [!TIP] > Trial best practice: Day 1 -There are four role groups used to configure permissions to manage insider risk management features. ​ +There are four role groups used to configure permissions to manage insider risk management features. -[Add users to an insider risk management role group.​](insider-risk-management-configure.md#add-users-to-an-insider-risk-management-role-group) +[Add users to an insider risk management role group.](insider-risk-management-configure.md#add-users-to-an-insider-risk-management-role-group) If you are not able to see permissions, please talk to your tenant admin to assign the correct roles. If you are not able to see permissions, please talk to your tenant admin to assi Quickly get started and get the most out of insider risk management capabilities with recommended actions. Included on the Overview page, recommended actions help guide you through the steps to configure and deploy policies and to take investigation actions for user actions that generate alerts from policy matches. -[Select a recommendation from the list](insider-risk-management-configure.md#recommended-actions-preview) to get started with configuring insider risk management. ​ +[Select a recommendation from the list](insider-risk-management-configure.md#recommended-actions-preview) to get started with configuring insider risk management.  Each recommended action guides you through the required activities for the recom ### Step 3 (required): [Enable the Microsoft 365 audit log](insider-risk-management-configure.md#step-2-required-enable-the-microsoft-365-audit-log) -Auditing is enabled for Microsoft 365 organizations by default. Some organizations may have disabled auditing for specific reasons. If auditing is disabled for your organization, it might be because another administrator has turned it off. We recommend confirming that it's OK to turn auditing back on when completing this step.​ +Auditing is enabled for Microsoft 365 organizations by default. Some organizations may have disabled auditing for specific reasons. If auditing is disabled for your organization, it might be because another administrator has turned it off. We recommend confirming that it's OK to turn auditing back on when completing this step. For step-by-step instructions to turn on auditing, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md). After you turn on auditing, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this action once. For more information about the using the Microsoft 365 audit log, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md). ### Step 4 (required): [Enable and view insider risk analytics insights](insider-risk-management-configure.md#step-3-optional-enable-and-view-insider-risk-analytics-insights) -Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics (preview)](insider-risk-management-settings.md) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help you understand your insider risk posture and help you take action by setting up appropriate policies to identify risky users.​ +Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. Analytics scan results may take up to 48 hours before insights are available as reports for review. To learn more about analytics insights, see [Insider risk management settings: Analytics (preview)](insider-risk-management-settings.md) and check out the [Insider Risk Management Analytics video](https://www.youtube.com/watch?v=5c0P5MCXNXk) to help you understand your insider risk posture and help you take action by setting up appropriate policies to identify risky users. To enable insider risk Analytics, you must be a member of the Insider Risk Management or Insider Risk Management Admin. [Complete these steps to enable insider risk analytics](insider-risk-management-configure.md). ## Records Management -**Automate the retention schedule for business-critical records​** +**Automate the retention schedule for business-critical records** Use integrated Records Management features to automate the retention schedule for organizational regulatory, legal, and business-critical records. Get full content lifecycle support, from creation to collaboration, record declaration, retention, and disposition. Use integrated Records Management features to automate the retention schedule fo > [!TIP] > Trial best practice: Day 1 -Adaptive policy scopes allow you to dynamically target a policy to certain users, groups, or sites based on their AD attributes. ​ +Adaptive policy scopes allow you to dynamically target a policy to certain users, groups, or sites based on their AD attributes. -Attributes for scopes can be selected from a list or customized using an advanced query builder.​ +Attributes for scopes can be selected from a list or customized using an advanced query builder. Policies using adaptive policy scopes stay current as the organization changes with new employees joining or leaving. Additionally, they are not subject to the previous limits of 100/1,000 locations included in a policy. - Create an [Adaptive Policy Scope](retention.md#adaptive-or-static-policy-scopes-for-retention), and use it with a retention policy -### Step 2: Automate labeling of sensitive information with the ability to review before disposal​ +### Step 2: Automate labeling of sensitive information with the ability to review before disposal > [!TIP] > Trial best practice: Setup within the first 30 days -Retention labels can be set up to apply automatically to content when it detects sensitive information, such as a credit card number. This removes the need for users to manually perform the labeling activity.​ +Retention labels can be set up to apply automatically to content when it detects sensitive information, such as a credit card number. This removes the need for users to manually perform the labeling activity. -At the end of the retention period, users you specify ("reviewers") will be notified to review the content and approve the permanent disposal action. That way if something needs to be retained for longer, it can be.​ +At the end of the retention period, users you specify ("reviewers") will be notified to review the content and approve the permanent disposal action. That way if something needs to be retained for longer, it can be. Both label application activity and disposition review activity can be viewed on your Records Management Overview screen. -1. [Auto-apply retention labels to content containing sensitive information](retention.md#retention-labels) ​ +1. [Auto-apply retention labels to content containing sensitive information](retention.md#retention-labels) 1. Create and apply a retention label with [disposition review](disposition.md#disposition-reviews) at the end of the retention period -### Step 3: Label content as records automatically using trainable classifiers​ +### Step 3: Label content as records automatically using trainable classifiers -When content is declared a record, restrictions are placed on the item in terms of what actions are allowed or blocked, additional activities about the items are logged, and you have proof of disposition if the items are deleted at the end of their retention period. ​ +When content is declared a record, restrictions are placed on the item in terms of what actions are allowed or blocked, additional activities about the items are logged, and you have proof of disposition if the items are deleted at the end of their retention period. Trainable classifiers are tools that recognize various types of content, based off samples it has been given. Choose from a variety of built-in options or set up a custom classifier to meet your specific needs. -1. Create a retention label that [declares content as a record or a regulatory record​](records-management.md#records) +1. Create a retention label that [declares content as a record or a regulatory record](records-management.md#records) 1. [Auto-apply retention labels to content using trainable classifiers](apply-retention-labels-automatically.md#auto-apply-labels-to-content-by-using-trainable-classifiers) -### More information: Auto-apply retention labels + disposition review​ +### More information: Auto-apply retention labels + disposition review -**Apply labels automatically to retain what you need…​** -Retention labels can be automatically applied to content when it contains:​ +**Apply labels automatically to retain what you need…** +Retention labels can be automatically applied to content when it contains: -- [Specific types of sensitive information​](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-specific-types-of-sensitive-information)-- [Specific keywords or searchable properties that match a query you create​](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-keywords-or-searchable-properties)-- [A match for trainable classifiers​](apply-retention-labels-automatically.md#auto-apply-labels-to-content-by-using-trainable-classifiers)+- [Specific types of sensitive information](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-specific-types-of-sensitive-information) +- [Specific keywords or searchable properties that match a query you create](apply-retention-labels-automatically.md#auto-apply-labels-to-content-with-keywords-or-searchable-properties) +- [A match for trainable classifiers](apply-retention-labels-automatically.md#auto-apply-labels-to-content-by-using-trainable-classifiers) -**…then dispose of it safely at the end.​** +**…then dispose of it safely at the end.** -When a disposition review is triggered at the end of the retention period, the reviewers you choose receive an email notification that they have content to review. ​ +When a disposition review is triggered at the end of the retention period, the reviewers you choose receive an email notification that they have content to review. Content pending a disposition review is permanently deleted only after a reviewer for the final stage of disposition chooses to permanently delete the content. Help your organization assess risks and efficiently respond to nations, regional [More information on the Compliance Manager premium assessments trial](compliance-easy-trials-compliance-manager-assessments.md). -### Privacy Management +### Microsoft Priva Privacy Risk Management and Microsoft Priva Subject Rights Requests -**Identify & prevent​ privacy risks** +**Identify & prevent privacy risks** -Proactively identify and protect against privacy risks such as data hoarding, data transfers, and data oversharing and help your organization automate and manage subject requests at scale.​ +Proactively identify and protect against privacy risks such as data hoarding, data transfers, and data oversharing and help your organization automate and manage subject requests at scale. -[Learn more about privacy management for Microsoft 365](/privacy/solutions/privacymanagement/privacy-management). +[Learn more about Microsoft Priva](/privacy/solutions/privacymanagement/privacy-management). -[Trial playbook: Privacy Management for Microsoft 365](/privacy/solutions/privacymanagement/privacy-management-trial-playbook) +[Trial playbook: Microsoft Priva](/privacy/solutions/privacymanagement/privacy-management-trial-playbook) ## Additional resources -**What’s included**: For a full list of Microsoft 365 compliance solutions and features listed by product tier, view the [Feature Matrix​](https://go.microsoft.com/fwlink/?linkid=2139145). -​ -**Microsoft Security Technical Content Library**: Explore this library to find interactive guides and other learning content relevant to your needs. [Visit Library​](/security/content-library). +**What’s included**: For a full list of Microsoft 365 compliance solutions and features listed by product tier, view the [Feature Matrix](https://go.microsoft.com/fwlink/?linkid=2139145). ++**Microsoft Security Technical Content Library**: Explore this library to find interactive guides and other learning content relevant to your needs. [Visit Library](/security/content-library). **Microsoft Security Resources**: From antimalware to Zero Trust, get all the relevant resources for your organization’s security needs. [Visit Resources](/security/business/resources). |
| compliance | Compliance Easy Trials | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-easy-trials.md | Wondering what you can experience in your free trial? The compliance solutions t Take advantage of an end-to-end workflow for preserving, collecting, analyzing, and exporting content that's responsive to your organization's internal and external investigations. Legal teams can also manage the entire legal hold notification process by communicating with custodians involved in a case. [Learn more about eDiscovery](ediscovery.md) +- **Information Governance** ++ Automate your retention policy coverage using Adaptive Policy Scopes. This feature allows you to dynamically target retention policies to specific users, groups, or sites. These policies automatically update when changes occur in your organization. In addition, retention policies using adaptive scopes are not subject to location limits. [Learn more about Adaptive Policy Scopes](create-retention-policies.md). ++ - **Information Protection** Implement Microsoft Information Protection with [sensitivity labels](sensitivity-labels.md) and [data loss prevention policies](dlp-learn-about-dlp.md) to help you discover, classify, and protect your sensitive content wherever it lives or travels. Wondering what you can experience in your free trial? The compliance solutions t - **Records Management** - Use integrated Records Management features to automate the retention schedule for organizational regulatory, legal, and business-critical records. Get full content lifecycle support, from creation to collaboration, record declaration, retention, and disposition. [Learn more about Records Management](records-management.md) + Use integrated Records Management features to: + - Classify content as a record to prevent users from editing, as required by regulations, laws, or organizational policy + - Apply retention labels to content automatically when it matches criteria you specify, using auto-apply label policies + - Use adaptive scope policies to dynamically target your retention label policies to locations, with no limit on how many locations are included + - Get full content lifecycle support, including the ability to perform disposition review on contents before they are permanently deleted at the end + For more information on the full range of feature for Microsoft Records Management, please see [Learn more about Records Management](records-management.md) |
| compliance | Compliance Extensibility | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-extensibility.md | -# Microsoft 365 compliance extensibility +# Microsoft 365 Compliance and Microsoft Priva extensibility Microsoft 365 compliance solutions help organizations intelligently assess their compliance risks, govern and protect sensitive data, and effectively respond to regulatory requirements. Microsoft 365 compliance is rich in extensibility scenarios and enables organizations to adapt, extend, integrate, accelerate, and support their compliance solutions. Many of the data connectors available in the Microsoft 365 compliance center to For data connectors in the Microsoft 365 compliance center provided by one of Microsoft's partners, your organization will need a business relationship with the partner before you can deploy a connector. -For licensing requirements for third-party data connectors, see the "Data connectors" section in [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#data-connectors). +For licensing requirements for third-party data connectors, see the "Data connectors" section in [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance). ## APIs -Microsoft 365 compliance APIs are available in the Microsoft Information Protection SDK, Microsoft Graph API, and the Office 365 Management Activity API. Some compliance APIs are part of a new set of security and compliance APIs that enable developers for Microsoft 365 customers, independent software vendors, system integrators, and managed security service providers to build high-value security and compliance solutions. +Microsoft 365 compliance and Microsoft Priva APIs are available in the Microsoft Information Protection SDK, Microsoft Graph API, and the Office 365 Management Activity API. Some compliance APIs are part of a new set of security and compliance APIs that enable developers for Microsoft 365 customers, independent software vendors, system integrators, and managed security service providers to build high-value security and compliance solutions. To learn more about how to access Graph APIs, see [Overview of Microsoft Graph](/graph/overview). +### Microsoft Graph APIs for subject rights requests ++In accordance with certain privacy regulations around the world, individuals can make requests to review or manage the personal data about themselves that companies have collected. These requests are referred to as *subject rights requests* within the Microsoft Priva Subject Rights Requests solution. Subject rights requests are also referred to as *data subject requests* (DSRs) or *data subject access requests* (DSARs). Microsoft Graph APIs for subject rights requests enable developers to integrate Microsoft 365-related subject rights requests with the broader privacy ecosystem. This API-based extensibility enables organizations to respond to subject rights requests in a unified manner across their entire data estate covering both Microsoft and non-Microsoft environments. This capability also helps with automation at scale and helps organizations meet industry regulations more efficiently without relying on manual processes. ++To learn more, see [Microsoft Graph APIs for subject rights request](/graph/api/resources/subjectrightsrequest-subjectrightsrequestapioverview). + ### Microsoft Information Protection (MIP) SDK The MIP SDK exposes the labeling and protection services from Microsoft 365 security and compliance centers to third-party applications and services. Developers can use the SDK to build native support for applying labels and protection to files. Developers can determine which actions should be taken when specific labels are detected, and reason over MIP-encrypted information. To learn more about the MIP SDK, prerequisites, additional scenarios, and sample ### Microsoft Graph API for Teams DLP -[Data loss prevention (DLP)](dlp-microsoft-teams.md) capabilities are widely used in Microsoft Teams particularly as organizations have shifted to remote work. Earlier this year we [announced the public preview](https://developer.microsoft.com/graph/blogs/announcing-change-notifications-for-microsoft-teams-messages/) of the Microsoft Graph Change Notification API for messages in Teams. This API enables developers to build apps that can listen to Microsoft Teams messages in near-real time and then implement DLP scenarios for both customers and partners. Additionally, Microsoft Graph Patch API lets you apply DLP actions to Teams messages. +[Data loss prevention (DLP)](dlp-microsoft-teams.md) capabilities are widely used in Microsoft Teams particularly as organizations have shifted to remote work. Recently we [announced the general availability](https://devblogs.microsoft.com/microsoft365dev/change-notifications-for-microsoft-teams-messages-now-generally-available/) of the Microsoft Graph Change Notification API for messages in Teams. This API enables developers to build apps that can listen to Microsoft Teams messages in near-real time and then implement DLP scenarios for both customers and partners. Additionally, Microsoft Graph Patch API lets you apply DLP actions to Teams messages. -These two APIs form the Microsoft Graph API for Teams DLP. You can get started by trying out the [sample app](https://github.com/microsoftgraph/csharp-webhook-with-resource-data). For more information about Microsoft Teams messaging webhooks, see the [documentation](/graph/api/subscription-post-subscriptions). +These two APIs form the Microsoft Graph API for Teams DLP. You can get started by trying out the [sample app](https://github.com/microsoftgraph/aspnetcore-webhooks-sample). For more information about Microsoft Teams messaging webhooks, see the [documentation](/graph/api/subscription-post-subscriptions). -For the licensing requirements for Teams DLP, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#communication-data-loss-prevention-for-teams). +For the licensing requirements for Teams DLP, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance). ### Microsoft Graph API for eDiscovery (preview) With [Advanced eDiscovery](overview-ediscovery-20.md), organizations can discove Graph APIs for Advanced eDiscovery can be used to create and manage cases, review sets, and review set queries in a scalable and repeatable manner. This enables customers and partners to create apps and workflows to automate common and repetitive processes such as creating cases and managing custodians and legal holds. -The first set of Graph APIs for eDiscovery are available in public preview. We plan to add more capabilities by the end of the calendar year. To learn more about these APIs and other updates for Advanced eDiscovery, see this [blog](https://aka.ms/Ignite2020AeDAA). +The first set of Graph APIs for eDiscovery are available in public preview. We plan to add more capabilities by the end of the calendar year. To learn more about these APIs and other updates for Advanced eDiscovery, see this [blog](https://aka.ms/Ignite2020AeDAA). For the licensing requirements for Advanced eDiscovery and the API, see the "eDiscovery" section in the [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#ediscovery). ### Microsoft Graph API for Teams Export -Enterprise Information Archiving (EIA) for Microsoft Teams is a key scenario for our customers as it allows them to solve for regulatory requirements. In addition to our built-in capabilities for archiving content in Microsoft Teams, customers and partners can now use Teams Export APIs to solve for custom application and integration scenarios. The Teams Export APIs support bulk-export (up to 200 requests per second/per app/per tenant) of Teams messages and message attachments. Deleted messages are also accessible by the API for up to 30 days after they are deleted. For more information about these Teams Export APIs and how to use them in your applications, see [Export content with the Microsoft Teams Export APIs](/microsoftteams/export-teams-content). +Enterprise Information Archiving (EIA) for Microsoft Teams is a key scenario for our customers as it allows them to solve for regulatory requirements. In addition to our built-in capabilities for archiving content in Microsoft Teams, customers and partners can now use Teams Export APIs to solve for custom application and integration scenarios. The Teams Export APIs support bulk-export (up to 200 requests per second/per app/per tenant) of Teams messages and message attachments. Deleted messages are also accessible by the API for up to 30 days after they are deleted. For more information about these Teams Export APIs and how to use them in your applications, see [Export content with the Microsoft Teams Export APIs](/microsoftteams/export-teams-content). For the licensing requirements for the use of the Teams Export APIs, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance). ### Microsoft Graph Connector APIs (preview) -With [Microsoft Graph connectors](/microsoftsearch/connectors-overview), organizations can index third-party data so it appears in Microsoft Search results. This feature expands the types of content sources that are searchable in your Microsoft 365 productivity apps and the broader Microsoft ecosystem. The third-party data can be hosted on-premises or in public or private clouds. Starting with Advanced eDiscovery, we're enabling developer preview of built-in compliance value of Microsoft 365 connected apps. This enables compliance for apps integrating into the Microsoft 365 ecosystem to empower users with seamless compliance experiences. To learn more about to how to incorporate Microsoft Graph Connector APIs in your apps view, see [Create, update, and delete connections in the Microsoft Graph](/graph/search-index-manage-connections). +With [Microsoft Graph connectors](/microsoftsearch/connectors-overview), organizations can index third-party data so it appears in Microsoft Search results. This feature expands the types of content sources that are searchable in your Microsoft 365 productivity apps and the broader Microsoft ecosystem. The third-party data can be hosted on-premises or in public or private clouds. Starting with Advanced eDiscovery, we're enabling developer preview of built-in compliance value of Microsoft 365 connected apps. This enables compliance for apps integrating into the Microsoft 365 ecosystem to empower users with seamless compliance experiences. To learn more about to how to incorporate Microsoft Graph Connector APIs in your apps view, see [Create, update, and delete connections in the Microsoft Graph](/graph/connecting-external-content-connectors-api-overview). |
| compliance | Compliance Manager Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-whats-new.md | We published new assessment templates, including: - Australia - ASD Essential 8 Maturity Level 2 - Australia - ASD Essential 8 Maturity Level 3 -### Integration with privacy management +### Integration with Microsoft Priva -Compliance Manager can now work hand in hand with privacy management, a solution that can help you safeguard the personal data your organization stores in Microsoft 365. Privacy management offers tools to help you visualize and understand your data, implement policies to manage key risk scenarios, and handle subject rights requests. When you take steps in privacy management to protect the personal data you store, this can contribute to your privacy assessments in Compliance Manager and can help you improve your compliance score. To see how privacy management and other solutions are contributing to your score, and learn about potential opportunities for further improvements, see the **Solutions** tab in Compliance Manager. You can also find more details about privacy management at [Learn about privacy management](/privacy/solutions/privacymanagement/privacy-management). +Compliance Manager can now work hand in hand with Microsoft Priva, a solution that can help you safeguard the personal data your organization stores in Microsoft 365. Priva offers tools to help you visualize and understand your data, implement policies to manage key risk scenarios, and handle subject rights requests. When you take steps in Priva to protect the personal data you store, this can contribute to your privacy assessments in Compliance Manager and can help you improve your compliance score. To see how Priva and other solutions are contributing to your score, and learn about potential opportunities for further improvements, see the **Solutions** tab in Compliance Manager. You can also find more details about Priva at [Learn about Microsoft Priva](/privacy/priva). ## July 2021 |
| compliance | Create A Custom Sensitive Information Type | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md | The SIT instance count limit applies when SITs are used in these solutions: - Communication Compliance - Records Management - Microsoft Defender for Cloud Apps-- Privacy Management+- Microsoft Priva For a scanned item to satisfy rule criteria, the number of unique instances of a SIT in any single item must fall between the min and max values. This is called the **Instance count**. |
| compliance | Device Onboarding Mdm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-mdm.md | For security reasons, the package used to Offboard devices will expire 30 days a > [!NOTE] > If Microsoft Defender for Endpoint is already configured, you can **Turn on device onboarding** and Step 6 is no longer required. -For more information on Microsoft Intune policy settings, see [Windows 10 policy settings in Microsoft Intune](/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). - > [!NOTE] > The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated. |
| compliance | Device Onboarding Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-overview.md | Make sure that the Windows devices that you need to onboard meet these requireme 1. Must be running Windows 10 x64 build 1809 or later or Windows 11. -2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. +2. Antimalware Client Version is 4.18.2110 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. > [!NOTE] > None of Windows Security components need to be active, but the [Real-time protection and Behavior monitor](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)) must be enabled. Make sure that the Windows devices that you need to onboard meet these requireme - [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - [AAD registered](/azure/active-directory/user-help/user-help-register-device-on-network) -5. For devices running Office 2016 (and not any other Office version) - KB4577063 --6. If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with classifying Office content and you need to update to version 2009 or later. See [Update history for Microsoft 365 Apps (listed by date)](/officeupdates/update-history-microsoft365-apps-by-date) for current versions. To learn more about this issue, see the Office Suite section of [Release notes for Current Channel releases in 2020](/officeupdates/current-channel#version-2010-october-27). +5. A supported version of Microsoft Office is installed and up to date. For the most robust protection and user experience, ensure Microsoft 365 Apps version 16.0.14701.0 or newer is installed. +> [!NOTE] + >If you are running Office 265 - KB 4577063 is required + >If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, you need to update to version 2009 or later. See [Update history for Microsoft 365 Apps (listed by date)](/officeupdates/update-history-microsoft365-apps-by-date) for current versions. To learn more about known issue, see the Office Suite section of [Release notes for Current Channel releases in 2020](/officeupdates/current-channel#version-2010-october-27). -7. If you have endpoints that use a device proxy to connect to the internet, follow the procedures in [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection). +6. If you have endpoints that use a device proxy to connect to the internet, follow the procedures in [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection). ## Onboarding Windows 10 or Windows 11 devices |
| compliance | Keyword Queries And Search Conditions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md | description: "Learn about email and document properties that you can search by u # Keyword queries and search conditions for eDiscovery -This topic describes the email and document properties that you can search for in email items and Microsoft Teams chat conversations in Exchange Online, and documents stored on SharePoint and OneDrive for Business sites using the eDiscovery search tools in the Microsoft 365 compliance center. This includes Content search, Core eDiscovery, and Advanced eDiscovery (eDiscovery searches in Advanced eDiscovery are called *collections*). You can also use the **\*-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for these properties. The topic also describes: +This article describes the email and document properties that you can search for in email items and Microsoft Teams chat conversations in Exchange Online, and documents stored on SharePoint and OneDrive for Business sites using the eDiscovery search tools in the Microsoft 365 compliance center. This includes Content search, Core eDiscovery, and Advanced eDiscovery (eDiscovery searches in Advanced eDiscovery are called *collections*). You can also use the **\*-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for these properties. The article also describes: - Using Boolean search operators, search conditions, and other search query techniques to refine your search results. - Searching for sensitive data types and custom sensitive data types in SharePoint and OneDrive for Business. For more information about creating queries using the `SensitiveType` property, Then you can use the ID in the `SensitiveType` search property to return documents that contain the custom sensitive data type; for example, `SensitiveType:7e13277e-6b04-3b68-94ed-1aeb9d47de37` -- You can't use sensitive information types and the `SensitiveType` search property to search for sensitive data at-rest in Exchange Online mailboxes. This includes 1:1 chat messages, 1:N group chat messages, and team channel conversations in Microsoft teams because all of this content is stored in mailboxes. However, you can use data loss prevention (DLP) policies to protect sensitive email data in transit. For more information, see [Learn about data loss prevention](dlp-learn-about-dlp.md) and [Search for and find personal data](/compliance/regulatory/gdpr).+- You can't use sensitive information types and the `SensitiveType` search property to search for sensitive data at-rest in Exchange Online mailboxes. This includes 1:1 chat messages, 1:N group chat messages, and team channel conversations in Microsoft Teams because all of this content is stored in mailboxes. However, you can use data loss prevention (DLP) policies to protect sensitive email data in transit. For more information, see [Learn about data loss prevention](dlp-learn-about-dlp.md) and [Search for and find personal data](/compliance/regulatory/gdpr). ## Search operators Boolean search operators, such as **AND**, **OR**, and **NOT**, help you define |\<=|property\<=value|Denotes that the property being searched is less than or equal to a specific value.<sup>1</sup>| |\>=|property\>=value|Denotes that the property being searched is greater than or equal to a specific value.<sup>1</sup>| |..|property:value1..value2|Denotes that the property being searched is greater than or equal to value1 and less than or equal to value2.<sup>1</sup>|-|" "|"fair value" <p> subject:"Quarterly Financials"|Use double quotation marks (" ") to search for an exact phrase or term in keyword and `property:value` search queries.| -|\*|cat\* <p> subject:set\*|Prefix searches (also called *prefix matching*) where a wildcard character ( * ) is placed at the end of a word in keywords or `property:value` queries. In prefix searches, the search returns results with terms that contain the word followed by zero or more characters. For example, ` Title: set*` returns documents that contain the word "set", "setup", and "setting" (and other words that start with "set") in the document title. <p> **Note:** You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) are not supported. <p> Also, adding a period ( \. ) to a prefix search will change the results that are returned. That's because a period is treated as a stop word. For example, searching for **cat\*** and searching for **cat.\*** will return different results. We recommend not using a period in a prefix search.| +|" "|"fair value" <p> subject:"Quarterly Financials"|In a keyword query (where you type the `property:value` pair in the **Keyword** box), use double quotation marks (" ") to search for an exact phrase or term. However, if you use the **Subject** or **Subject/Title** [search condition](#search-conditions) condition, don't add double quotation marks to the value because quotation marks are automatically added when using these search conditions. If you do add quotation marks to the value, two pairs of double quotations will be added to the condition value, and the search query will return an error. | +|\*|cat\* <p> subject:set\*|Prefix searches (also called *prefix matching*) where a wildcard character ( * ) is placed at the end of a word in keywords or `property:value` queries. In prefix searches, the search returns results with terms that contain the word followed by zero or more characters. For example, ` Title: set*` returns documents that contain the word "set", "setup", and "setting" (and other words that start with "set") in the document title. <p> **Note:** You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) arenΓÇÖt supported. <p> Also, adding a period ( \. ) to a prefix search will change the results that are returned. That's because a period is treated as a stop word. For example, searching for **cat\*** and searching for **cat.\*** will return different results. We recommend not using a period in a prefix search.| |( )|(fair OR free) AND (from:contoso.com) <p> (IPO OR initial) AND (stock OR shares) <p> (quarterly financials)|Parentheses group together Boolean phrases, `property:value` items, and keywords. For example, `(quarterly financials)` returns items that contain the words quarterly and financials.| > [!NOTE] Create a condition using common properties when searching mailboxes and sites in |Date|For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified.| |Sender/Author|For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the **OR** operator.| |Size (in bytes)|For both email and documents, the size of the item (in bytes).|-|Subject/Title|For email, the text in the subject line of a message. For documents, the title of the document. As previously explained, the Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the **OR** operator.| +|Subject/Title|For email, the text in the subject line of a message. For documents, the title of the document. As previously explained, the Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the **OR** operator. <p> **Note**: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations will be added to the condition value, and the search query will return an error.| |Retention label|For both email and documents, retention labels that have been assigned to messages and documents automatically by auto-label policies or retention labels that have been manually assigned by users. Retention labels are used to classify email and documents for information governance and enforce retention rules based on the settings defined by the label. You can type part of the retention label name and use a wildcard or type the complete label name. For more information about retention labels, see [Learn about retention policies and retention labels](retention.md).| ### Conditions for mail properties Create a condition using mail properties when searching mailboxes or public fold |Recipients|All recipient fields in an email message. These fields are To, Cc, and Bcc.| |Sender|The sender of an email message.| |Sent|The date that an email message was sent by the sender. This is the same property as the Sent email property.|-|Subject|The text in the subject line of an email message.| +|Subject|The text in the subject line of an email message. <p> **Note**: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations will be added to the condition value, and the search query will return an error.| |To|The recipient of an email message in the To field.| ### Conditions for document properties Create a condition using document properties when searching for documents on Sha |Title|The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document.| |Created|The date that a document is created.| |Last modified|The date that a document was last changed.|-|File type|The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property. <p> **Note:** If you include a File type condition using the **Equals** or **Equals any of** operator in a search query, you can't use a prefix search (by including the wildcard character ( \* ) at the end of the file type) to return all versions of a file type. If you do, the wildcard will be ignored. For example if you include the condition `Equals any of doc*`, only files with an extension of `.doc` will be returned. Files with an extension of `.docx` will not be returned. To return all versions of a file type, used the *property:value* pair in a keyword query; for example, `filetype:doc*`.| +|File type|The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property. <p> **Note:** If you include a File type condition using the **Equals** or **Equals any of** operator in a search query, you can't use a prefix search (by including the wildcard character ( \* ) at the end of the file type) to return all versions of a file type. If you do, the wildcard will be ignored. For example if you include the condition `Equals any of doc*`, only files with an extension of `.doc` will be returned. Files with an extension of `.docx` wonΓÇÖt be returned. To return all versions of a file type, used the *property:value* pair in a keyword query; for example, `filetype:doc*`.| ### Operators used with conditions This example returns email messages or calendar meetings that were sent between ## Special characters -Some special characters are not included in the search index and therefore are not searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error. +Some special characters arenΓÇÖt included in the search index and therefore arenΓÇÖt searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error. `+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }` kind:im AND subject:conversation AND (received=startdate..enddate) ## Character limits for searches -There is a 4,000 character limit for search queries when searching for content in SharePoint sites and OneDrive accounts. -Here is how the total number of characters in the search query are calculated: +ThereΓÇÖs a 4,000 character limit for search queries when searching for content in SharePoint sites and OneDrive accounts. +HereΓÇÖs how the total number of characters in the search query are calculated: - The characters in keyword search query (including both user and filter fields) count against this limit. - The characters in any location property (such as the URLs for all the SharePoint sites or OneDrive locations being searched) count against this limit. For more information about character limits, see [eDiscovery search limits](limi ## Search tips and tricks -- Keyword searches are not case-sensitive. For example, **cat** and **CAT** return the same results.+- Keyword searches arenΓÇÖt case-sensitive. For example, **cat** and **CAT** return the same results. - The Boolean operators **AND**, **OR**, **NOT**, and **NEAR** must be uppercase. - A space between two keywords or two `property:value` expressions is the same as using **AND**. For example, `from:"Sara Davis" subject:reorganization` returns all messages sent by Sara Davis that contain the word reorganization in the subject line. -- Use syntax that matches the `property:value` format. Values are not case-sensitive, and they can't have a space after the operator. If there is a space, your intended value will be a full-text search. For example `to: pilarp` searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.+- Use syntax that matches the `property:value` format. Values arenΓÇÖt case-sensitive, and they can't have a space after the operator. If thereΓÇÖs a space, your intended value will be a full-text search. For example `to: pilarp` searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp. - When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar Pinilla". -- You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) are not supported.+- You can use only prefix searches; for example, **cat\*** or **set\***. Suffix searches (**\*cat**), infix searches (**c\*t**), and substring searches (**\*cat\***) arenΓÇÖt supported. - When searching a property, use double quotation marks (" ") if the search value consists of multiple words. For example `subject:budget Q1` returns messages that contain **budget** in the subject line and that contain **Q1** anywhere in the message or in any of the message properties. Using `subject:"budget Q1"` returns all messages that contain **budget Q1** anywhere in the subject line. |
| compliance | Sensitive Information Type Learn About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-learn-about.md | Sensitive information types are pattern-based classifiers. They detect sensitive - [Communication compliance](communication-compliance.md) - [Inside risk management](insider-risk-management-solution-overview.md) - [Auto-labelling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps)-- [Privacy management](/privacy/solutions/privacymanagement/privacy-management)+- [Microsoft Priva](/privacy/priva) ## Fundamental parts of a sensitive information type |
| enterprise | Upgrade From Lync 2013 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/upgrade-from-lync-2013.md | If you can't upgrade to Microsoft Teams, you can upgrade to Skype for Business S ### Upgrade to Microsoft Teams -We have detailed guidance on upgrading to Microsoft Teams from your on-premises deployment. First, let's cover some key technical requirements. You will need to establish hybrid connectivity which will enable you to move your users to Teams. [Plan hybrid connectivity](/SkypeForBusiness/hybrid/plan-hybrid-connectivity) gives an overview of setting up hybrid. Even though the article is focused on Skype for Business, all the concepts apply to Lync Server 2013 as well. See the [server version requirements](/SkypeForBusiness/hybrid/plan-hybrid-connectivity#server-version-requirements) section for Lync Server 2013-specific details. +We have detailed guidance on upgrading to Microsoft Teams from your on-premises deployment. First, let's cover some key technical requirements. You will need to establish hybrid connectivity, which will enable you to move your users to Teams. [Plan hybrid connectivity](/SkypeForBusiness/hybrid/plan-hybrid-connectivity) gives an overview of setting up a hybrid environment. Even though the article is focused on Skype for Business, all the concepts apply to Lync Server 2013 as well. See the [server version requirements](/SkypeForBusiness/hybrid/plan-hybrid-connectivity#server-version-requirements) section for Lync Server 2013-specific details. -You also need to ensure that you Lync Server 2013 deployment fully up to date. We publish a [list of all the latest updates for Lync Server 2013](https://support.microsoft.com/topic/updates-for-lync-server-2013-a2a042ac-79f0-2665-7453-0a541fb25164) However, the following update is a pre-requisite for an upgrade to Microsoft Teams: +You also need to ensure that your Lync Server 2013 deployment is fully up to date. We publish a [list of all the latest updates for Lync Server 2013](https://support.microsoft.com/topic/updates-for-lync-server-2013-a2a042ac-79f0-2665-7453-0a541fb25164) However, the following update is a pre-requisite for an upgrade to Microsoft Teams: - [September 2021 cumulative update 5.0.8308.1149 for Lync Server 2013, Core Components](https://support.microsoft.com/topic/september-2021-cumulative-update-5-0-8308-1149-for-lync-server-2013-core-components-6755903a-fc9a-44d2-b835-2a6d01f14043): This update replaces the Live ID authentication with OAuth authentication protocol for the `Move-CSUser` cmdlet, which is used for moving on-premises users to Microsoft Teams. -Even though the user experience in Microsoft Teams is far richer and superior to Lync, it is also dramatically different. Therefore, you will also need to prepare your organization and your users to ensure a rapid adoption of Microsoft Teams. We have a wealth of information available on how to prepare your organization, plan your upgrade to Teams, and ensure a successful rollout. +Even though the user experience in Microsoft Teams is far richer and superior to Lync, it is also dramatically different. Therefore, you'll also need to prepare your organization and your users to ensure a rapid adoption of Microsoft Teams. We have a wealth of information available on how to prepare your organization, plan your upgrade to Teams, and ensure a successful rollout. **We recommend that you start at our [Teams upgrade portal](/MicrosoftTeams/upgrade-skype-teams)** where you can find technical information, training resources, links to Ignite sessions, available help resources, case studies and more. Even though the user experience in Microsoft Teams is far richer and superior to ### Upgrade to Skype for Business Server -The path to Skype for Business Server is going to be different depending on the version you choose to upgrade to. Skype for Business Server 2015 supports an in-place upgrade from Lync Server 2013. On the other hand, in order to upgrade to Skype for Business Server 2019, you first will need to introduce Skype for Business Server 2019 to your Lync Server 2013 organization, and then transfer operations to the new server. +The path to Skype for Business Server is going to be different depending on the version you choose to upgrade to. Skype for Business Server 2015 supports an in-place upgrade from Lync Server 2013. On the other hand, in order to upgrade to Skype for Business Server 2019, you first will need to introduce Skype for Business Server 2019 to your Lync Server 2013 installation via adding one or more new servers, and then transfer operations to the new 2019 servers you've added. One important point to consider is that the current support phase for each product: Skype for Business 2019 is in mainstream support and Skype for Business 2015 is currently in extended support. Therefore, we recommend upgrading to Skype for Business Server 2019. To learn more about the difference between mainstream and extended support, see [Fixed Lifecycle Policy](/lifecycle/policies/fixed). |
| lighthouse | M365 Lighthouse Review Audit Logs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-review-audit-logs.md | description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous > [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).+ Microsoft 365 Lighthouse audit logs record actions that generate a change in Lighthouse or other Microsoft 365 services. Create, edit, delete, assign, and remote actions all create audit events that you can review. By default, auditing is enabled for all customers. It can't be disabled. ## Before you begin |
| managed-desktop | Config Setting Deploy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-deploy.md | -After you make changes to your setting categories and stage a deployment, the Deployment status page allows you to begin deploying your settings to groups. This page shows a summary of each configurable setting. By opening a setting category you can deploy settings to groups and track the progress of these deployments. +After you make changes to your setting categories and stage a deployment, the Deployment status page allows you to begin deploying your settings to groups. This page shows a summary of each configurable setting. When opening a setting category, you can deploy settings to groups and track the progress of these deployments. ## Deployment statuses -These are the statuses youΓÇÖll see for each deployment. +The following are the statuses youΓÇÖll see for each deployment. Status | Explanation | Deploy | Your change is waiting to be deployed to this group. In progress | The change is being applied to active devices in this group. Complete | The change completed on all active devices in this group.-Failed | The change failed on a 10 percent of active devices in the group, so the deployment was stopped.<br><br> A support request will be automatically opened with Microsoft Managed Desktop operations to troubleshoot the deployment. +Failed | The change failed on 10 percent of active devices in the group. The deployment was stopped.<br><br> A support request will be automatically opened with Microsoft Managed Desktop operations to troubleshoot the deployment. Reverted | The change was reverted to the last change that was successfully deployed to all deployment groups. ## Deploy changes -WeΓÇÖll show Desktop background picture in these instructions. After youΓÇÖve staged a deployment, you deploy changes from the Deployment status page. +As an example, weΓÇÖll use a desktop background picture in these instructions. After youΓÇÖve staged a deployment, you deploy changes from the Deployment status page. -**To deploy changes** +**To deploy changes:** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Deployment status** workspace, select the setting you want to deploy, and then select the staged deployment to deploy. +1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Deployment status** workspace, select the setting you want to deploy. Then, select the staged deployment to deploy. 4. Select **Deploy** to deploy the change to one of the deployment groups. > [!NOTE] WeΓÇÖll show Desktop background picture in these instructions. After youΓÇÖve st <!-- Needs picture updated to show MEM  --> -We recommend deploying to deployment groups in this order: Test, First, Fast, and then Broad. +We recommend deploying to deployment groups in this order: Test, First, Fast, and then Broad. When changes complete in each group, the status changes to **Complete**. When changes complete in each group, the status changes to **Complete**. After youΓÇÖve deployed a change, you can revert from **Deployment status**. When you revert a change that is **In progress** or **Complete**, the current deployment stops. The setting will revert to the last version that was deployed to all groups. -WeΓÇÖll show the steps to revert a change using the Desktop background picture as an example. +As an example, weΓÇÖll revert the desktop background picture. -**To revert a change** +**To revert a change:** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Deployment status** workspace, select the setting you want to revert, and then select the staged deployment to revert. +1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Deployment status** workspace, select the setting you want to revert. Then, select the staged deployment to revert. 4. Under **Need to revert this change?**, select **Revert deployment**. <!-- Needs picture updated to show MEM  --> WeΓÇÖll show the steps to revert a change using the Desktop background picture a ## Additional resources - [Configurable settings overview](config-setting-overview.md)-- [Configurable settings reference](config-setting-ref.md) +- [Configurable settings reference](config-setting-ref.md) |
| managed-desktop | Config Setting Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-overview.md | Microsoft Managed Desktop deploys settings and policies that are applied to all Configurable settings in Microsoft Managed Desktop give IT admins a way to customize and deploy settings that are unique to their organization and business needs. These settings are in addition to device configuration settings and policies that are managed by Microsoft Managed Desktop. -Configurable setting changes are made in the cloud and applied to your Microsoft Managed Desktop devices in defined deployment groups. This process is similar to how Microsoft Managed Desktop manages changes to device configuration settings and policies that are defined and managed by the service. By using the same process that Microsoft Managed Desktop uses for deploying changes, you continue to move your organization forward, using modern IT management practices. +Configurable setting changes are made in the cloud. They're applied to your Microsoft Managed Desktop devices in defined deployment groups. This process is similar to how Microsoft Managed Desktop manages changes to device configuration settings and policies that are defined and managed by the service. By using the same process that Microsoft Managed Desktop uses for deploying changes, you continue to move your organization forward, using modern IT management practices. ## When to use configurable settings? -There are a few times to use configurable settings. +Use configurable settings in the following scenarios: -**Onboarding process** ΓÇô Microsoft Managed Desktop recommends that you customize configurable settings when you onboard to Microsoft Managed Desktop service, or when you onboard a large number of devices (20 or more). Setting categories are configured in Microsoft Managed Desktop admin portal. After youΓÇÖve onboarded and have access to the admin portal, you can decide which setting categories you want to customize for your organization, make the changes, stage a deployment, and then deploy your changes. --**Maintain settings** - Review your settings regularly and make needed updates. You might need to make changes to support a change in your business. +| Scenario | Description | +| | | +| Onboarding process | Microsoft Managed Desktop recommends that you customize configurable settings when you onboard to the Microsoft Managed Desktop service, or when you onboard a large number of devices (20 or more). <br><br>Setting categories are configured in Microsoft Managed Desktop admin portal. After you onboard and have access to the admin portal, you can decide which setting categories you want to customize for your organization. After, make the changes, stage a deployment, and then deploy your changes. | +| Maintain settings | Review your settings regularly and make needed updates. You might need to make changes to support a change in your business. | ## Setting categories -These are the configurable settings categories that you can customize: -- [Desktop background picture](config-setting-ref.md#desktop-background-picture) ΓÇô Customize the desktop background picture for Microsoft Managed Desktop devices. -- [Browser start pages](config-setting-ref.md#browser-start-pages) ΓÇô Add start pages to use with Microsoft Edge. See Browser start page-- [Enterprise mode site list](config-setting-ref.md#enterprise-mode-site-list-location) ΓÇô Add sites, and their compatibility mode. Sites on the list will start in Internet Explorer. -- [Trusted sites](config-setting-ref.md#trusted-sites) ΓÇô Add trusted sites and set security zones for each site. -- [Proxy site exceptions](config-setting-ref.md#proxy) ΓÇô Set up your proxy server address number and port number, and add proxy site exceptions.--Each setting category can be customized and deployed on its own. You can deploy changes to multiple setting categories at the same time, however, you can only deploy one change at a time to a setting category. --For example: -- You can deploy changes to desktop background picture and trusted sites, each as their own deployment, at the same time. -- You canΓÇÖt deploy two deployments to browser start pages at the same time. The most recent deployment will stop earlier deployments that are still in progress.--## Configurable setting process --Microsoft Managed Desktop recommends following a process similar to the following when utilizing configurable settings for your organization: +The following are the configurable settings categories that you can customize: -**Step 1 - Plan** - Learn about configurable settings and decide which setting categories you want to configure for your organization. Create a timeline for when you expect to deploy changes to each group. Plan communication to your users that meets your internal change management processes. For example, if you're adding browser start pages, let your users know that they'll have a new set of start pages in their browser after the deployment. +| Category | Description | +| | | +| [Desktop background picture](config-setting-ref.md#desktop-background-picture) | Customize the desktop background picture for Microsoft Managed Desktop devices. | +| [Browser start pages](config-setting-ref.md#browser-start-pages) | Add start pages to use with Microsoft Edge. | +| [Enterprise mode site list](config-setting-ref.md#enterprise-mode-site-list-location) | Add sites, and their compatibility mode. Sites on the list will start in Internet Explorer. | +| [Trusted sites](config-setting-ref.md#trusted-sites) | Add trusted sites and set security zones for each site. | +| [Proxy site exceptions](config-setting-ref.md#proxy) | Set up your proxy server address number and port number, and add proxy site exceptions. | -**Step 2 - Configure and stage deployment** - Make changes to configurable settings in Microsoft Managed Desktop admin portal. Stage the changes so theyΓÇÖre ready to deploy. Remember to let your users know about the changes, and how the changes will change their device experience. +Each setting category can be customized and deployed on its own. You can deploy changes to multiple setting categories at the same time. However, you can only deploy one change at a time to a setting category. -You configure and stage changes in the Microsoft Managed Desktop admin portal. For more information, see [Customize configurable settings](config-setting-ref.md). +For example: -**Step 3 - Communicate changes** -Communicate information about upcoming changes to your users. For each deployment, complete the communication that is part of your change management processes. You should clearly communicate any change that impacts how a user works, or what they will see on their devices. +- You can deploy changes to desktop background picture and trusted sites, each as their own deployment, at the same time. +- You can't deploy two deployments to the browser start pages at the same time. The most recent deployment will stop earlier deployments that are still in progress. -**Step 4 - Deploy changes** ΓÇô Deploy your changes, starting with the Test group. The Test group allows you to validate and troubleshoot any issues in a group with fewer devices, before deploying changes to larger groups of devices. If you run into any issues, you can revert the change, update the setting, and stage a new deployment. Microsoft Managed Desktop recommends that you follow the structured approach and deploy to groups in this order: Test, First, Fast, and then Broad. +## Configurable setting process -All configurable settings are managed using the Microsoft Managed Desktop admin portal. For more information, see [Deploy changes](config-setting-deploy.md). +Microsoft Managed Desktop recommends following a process like the one below when using configurable settings for your organization: -**Step 5 - Track changes** ΓÇô Track the progress for your changes on Deployment status. For each setting, you can: -- **Track progress** ΓÇô Track status after you deploy the change. The status will change to **In progress**, and then either **Complete**, or **Failed**. If a deployment fails, a support request is automatically opened for Microsoft Managed Desktop Operations to investigate the issue. -- **See version deployed** ΓÇô Each deployed change has a version number.-- **Revert changes** ΓÇô Reverting a change stops the current deployment, and reverts all groups to the last changes that were deployed to all groups. You are rolling back to the last-known-good setting value.-- **Validate changes** - After the deployment is complete, validate the changes were applied as you expected. +| Step | Process | +| | | +| **Step 1: Plan** | <ol type="1"><li>Learn about configurable settings and decide which setting categories you want to configure for your organization.</li> <li>Create a timeline when you expect to deploy changes to each group.</li> <li>Plan communication to your users that meets your internal change management processes. For example, if you're adding browser start pages, inform your users they'll have a new set of start pages in their browser after the deployment.</li></ol> | +| **Step 2: Configure and stage deployment** | <ol type="1"><li>Make changes to configurable settings in Microsoft Managed Desktop admin portal.</li><li>Stage the changes so theyΓÇÖre ready to deploy.</li> <li>Remember to inform your users about the changes, and how the changes will change their device experience.</li><li>Configure and stage changes in the Microsoft Managed Desktop admin portal. For more information, see [Customize configurable settings](config-setting-ref.md).</li></ol>| +| **Step 3: Communicate changes** | <ol type="1"><li>Communicate information about upcoming changes to your users.</li> <li>For each deployment, complete the communication that is part of your change management processes. You should clearly communicate any change that impacts how a user works, or what they'll see on their devices.</li></ol> | +| **Step 4: Deploy changes** | Deploy your changes, starting with the Test group. The Test group allows you to validate and troubleshoot any issues in a group with fewer devices, before deploying changes to larger groups of devices. <br><br>If you run into any issues, you can revert the change, update the setting, and stage a new deployment. Microsoft Managed Desktop recommends that you follow the structured approach and deploy to groups in this order: Test, First, Fast, and then Broad. <br><br>All configurable settings are managed using the Microsoft Managed Desktop admin portal. For more information, see [Deploy changes](config-setting-deploy.md). | +| **Step 5: Track changes** | Track the progress for your changes in the Deployment status section. For each setting, you can: <ul><li>**Track progress:** Track status after you deploy the change. The status will change to **In progress**, and then either **Complete**, or **Failed**. If a deployment fails, a support request is automatically opened for Microsoft Managed Desktop Operations to investigate the issue.</li> <li>**See version deployed:** Each deployed change has a version number.</li><li>**Revert changes:** Reverting a change stops the current deployment. It reverts all groups to the last changes that were deployed to all groups. You're rolling back to the last-known-good setting value.</li><li>**Validate changes:** After the deployment is complete, validate the changes were applied as you expected.</li></ul> | -If a deployment has failed, or you can't revert a change, [open a support request](admin-support.md) with Microsoft Managed Desktop Operations. +If a deployment failed, or you can't revert a change, [open a support request](admin-support.md) with Microsoft Managed Desktop Operations. For more information, see [Deploy and track configurable settings](config-setting-deploy.md). ## Additional resources-- [Configurable settings reference](config-setting-ref.md) -- [Deploy configurable settings](config-setting-deploy.md) ++- [Configurable settings reference](config-setting-ref.md) +- [Deploy configurable settings](config-setting-deploy.md) |
| managed-desktop | Config Setting Ref | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/config-setting-ref.md | -This topic lists the settings categories that customers can configure with Microsoft Managed Desktop. Each setting category includes info on requirements, best practices, and how to customize the setting category. +This article lists the settings categories that customers can configure with Microsoft Managed Desktop. Each setting category includes information on requirements, best practices, and how to customize the setting category. ## Desktop background picture-You can customize the desktop background picture for Microsoft Managed Desktop devices in your organization. You might use this to apply a company brand or marketing material. ++You can customize the desktop background picture for Microsoft Managed Desktop devices in your organization. You might use the desktop background picture to apply a company brand or marketing material. ### Requirements These requirements must be met for a desktop background picture:-- Picture file format - .jpg, jpeg, or .png-- File location - Host on a trusted secure http (https) location. -- Not allowed - Http and file share (unc) locations are not supported. ++- Picture file format: .jpg, jpeg, or .png +- File location: Host on a trusted secure http (https) location. +- Not allowed: Http and file share (unc) locations aren't supported. ### Customize and deploy desktop background picture -**To add a custom desktop background picture** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Settings** workspace, select **Desktop background picture**. -4. Enter the location of the picture you want to use. -5. Select **Stage deployment** to save your changes and deploy them to the Test group. +**To add a custom desktop background picture:** ++1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Settings** workspace, select **Desktop background picture**. +4. Enter the location of the picture you want to use. +5. Select **Stage deployment** to save your changes and deploy them to the Test group. ## Browser start pages-Browser start pages open in individual tabs when your users start Microsoft Edge. If you want to make it easy for your users to open a set of sites that they use frequently, add a browser start page for each site. ++Browser start pages open in individual tabs when your users start Microsoft Edge. If you want to make it easy for your users to open a set of sites they use frequently, add a browser start page for each site. ### Requirements -You must provide the fully qualified domain name (FQDN) for intranet or Internet sites for your browser start pages. If internal sites are configured, let users know that access to these sites is only allowed when connected to the internal network when in the office, or when connected with a VPN connection. +You must provide the fully qualified domain name (FQDN) for intranet or Internet sites for your browser start pages. If internal sites are configured, inform users that access is only allowed when connected to the internal network, or when connected via VPN. ### Customize and deploy browser start pages -**To add a browser start page** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Settings** workspace, select **Browser start pages**. +**To add a browser start page:** ++1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Settings** workspace, select **Browser start pages**. 4. Select **Add start page**.-5. On **Add browser start page**, enter the URL for the site you want to use, and then select **Add start page**. -6. Repeat steps 1-5 for additional browser start pages. +5. In **Add browser start page**, enter the URL for the site you want to use, and then select **Add start page**. +6. Repeat steps 1-5 for to add more browser start pages. 7. Select **Stage deployment** to save your changes and deploy them to the Test group. ## Enterprise mode site list location -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Also, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using Internet Explorer 11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on Internet Explorer 11. For more information on enterprise mode site lists,see [Enterprise Mode and Enterprise Mode Site Lists](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). +If you have specific websites and apps that have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list to automatically open the websites in Internet Explorer 11. Also, if you know your intranet sites don't work correctly with Microsoft Edge, you can set all intranet sites to open automatically in Internet Explorer 11. ++Using Enterprise Mode means you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working in Internet Explorer 11. For more information on enterprise mode site lists,see [Enterprise Mode and Enterprise Mode Site Lists](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). -You can specify an https:// location, or the location for an internal share where youΓÇÖve hosted your enterprise mode site list. +You can specify an `https://` location, or the location for an internal share where youΓÇÖve hosted your enterprise mode site list. ### Requirements These requirements must be met for the enterprise mode site list file:-- File format - XML file that meets [file requirements](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#site-list-xml-file)-- File location - Host file on an internal https location. -- Not allowed - Hosting on an internal file share, like *//sharename*, is not allowed++- File format: XML file that meets [file requirements](/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#site-list-xml-file). +- File location: Host file on an internal https location. +- Not allowed: Hosting on an internal file share, like `//sharename`, is n't allowed. ### Best practices These best practices are offered to help customers make decisions to modernize their IT infrastructure:-- **Choose a limited number of sites** ΓÇô Microsoft Managed Desktop uses Microsoft Edge as the preferred browser to improve overall security for your organization and usability for your users. Most sites in this list are for legacy web apps that need an older version of a browser that will not include as many security features. -- **Consider an alternate** ΓÇô Consider a different site, or web app that doesnΓÇÖt require an older browser. Or, consider updating the site so that it can use newer browsers. Newer browsers use the latest technology and help improve security.++| Practice | Description | +| | | +| Choose a limited number of sites | Microsoft Managed Desktop uses Microsoft Edge as the preferred browser to improve overall security for your organization and usability for your users. Most sites in this list are for legacy web apps that need an older version of a browser that won't include as many security features. | +| Consider an alternate | Consider a different site, or web app that doesn't require an older browser. Or, consider updating the site so that it can use newer browsers. Newer browsers use the latest technology and help improve security. | ### Customize and deploy Enterprise site mode list location -**To add an enterprise site mode list location** +**To add an enterprise site mode list location:** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Settings** workspace, select **Enterprise mode site list location**. -4. Enter the https location for your site list. +1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Settings** workspace, select **Enterprise mode site list location**. +4. Enter the https location for your site list. 5. Select **Stage deployment** to save your changes and deploy them to the Test group. ## Trusted sites -Trusted sites allow you to customize security zones, or where a site can be used, for different sites. Security zones include: -- Zone 1 ΓÇô Local Intranet zone-- Zone 2 ΓÇô Trusted sites zone-- Zone 3 ΓÇô Internet zone-- Zone 4 ΓÇô Restricted Sites zone+Trusted sites allow you to customize security zones, or where a site can be used, for different sites. Security zones include: ++- Zone 1: Local Intranet zone +- Zone 2: Trusted sites zone +- Zone 3: Internet zone +- Zone 4: Restricted Sites zone ### Requirements -Provide the fully qualified domain name (FQDN) for intranet or Internet sites for each trusted site. +Provide the fully qualified domain name (FQDN) for intranet or Internet sites for each trusted site. ### Customize and deploy trusted sites -**To add a trusted site** +**To add a trusted site:** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Settings** workspace, select **Trusted sites**, and then select **Add trusted site**. -4. On **Add trusted site**, enter the URL, choose a security zone, and then select **Add trusted site**. -5. Repeat steps 1-4 for each trusted site you want to add. +1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Settings** workspace, select **Trusted sites**, and then select **Add trusted site**. +4. On **Add trusted site**, enter the URL, choose a security zone, and then select **Add trusted site**. +5. Repeat steps 1-4 for each trusted site you want to add. 6. Select **Stage deployment** to save your changes and deploy them to the Test group. -**To remove a trusted site** +**To remove a trusted site:** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Settings** workspace, select **Trusted sites**. -4. Select the site that you want to delete, and then select **Delete**. -5. Repeat steps 1-4 for each trusted site you want to delete. +1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In **Settings** workspace, select **Trusted sites**. +4. Select the site that you want to delete, and then select **Delete**. +5. Repeat steps 1-4 for each trusted site you want to delete. 6. Select **Stage deployment** to save your changes and deploy them to the Test group. ## Proxy-You can manage network proxy settings for your organization. Add your proxy server and port number, and then add your proxy site exceptions. Microsoft Managed Desktop includes a set of default proxy exceptions that are required for the service to operate. The default exclusion list may only be modified by the Microsoft Managed Desktop service. For more information, see [Network configuration for Microsoft Managed Desktop](../get-ready/network.md). -The proxy site exceptions that you add in the Microsoft Managed Desktop portal are added to the default proxy exceptions included with Microsoft Managed Desktop service. +You can manage network proxy settings for your organization. Add your proxy server and port number, and then add your proxy site exceptions. ++Microsoft Managed Desktop includes a set of default proxy exceptions that are required for the service to operate. The default exclusion list may only be modified by the Microsoft Managed Desktop service. For more information, see [Network configuration for Microsoft Managed Desktop](../get-ready/network.md). ++The proxy site exceptions added in the Microsoft Managed Desktop portal are added to the default proxy exceptions included with the Microsoft Managed Desktop service. > [!NOTE] > Updating the default proxy exception list is always prioritized over customer deployments. This means that your staged deployment will be paused if there is a deployment for the default proxy exception list. The proxy site exceptions that you add in the Microsoft Managed Desktop portal a ### Requirements These requirements must be met for proxy server and proxy site exceptions:-- Must be a valid server address and port number-- URLs must be a valid http site ++- Must be a valid server address and port number. +- URLs must be a valid http site. ### Customize and deploy proxies -**To add an individual proxy site exception** +**To add an individual proxy site exception:** -1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu -2. Look for the Microsoft Managed Desktop section, select **Settings**. -3. In **Settings** workspace, select **Proxy**. -4. Enter the **Address** and **Port number** for you proxy server, and then select **Add proxy exception**. -5. Enter the URL of a valid http site, and then select **Add proxy exception**. -6. Repeat steps 1-5 for each trusted site you want to add. +1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Devices** menu. +2. In the Microsoft Managed Desktop section, select **Settings**. +3. In the **Settings** workspace, select **Proxy**. +4. Enter the **Address** and **Port number** for you proxy server, and then select **Add proxy exception**. +5. Enter the URL of a valid http site, and then select **Add proxy exception**. +6. Repeat steps 1-5 for each trusted site you want to add. 7. Select **Stage deployment** to save your changes and deploy them to the Test group. ## Additional resources-- [Configurable settings overview](config-setting-overview.md) -- [Deploy configurable settings](config-setting-deploy.md)++- [Configurable settings overview](config-setting-overview.md) +- [Deploy configurable settings](config-setting-deploy.md) |
| security | Compare Mdb M365 Plans | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md | +- m365initiative-defender-business +- m365-security-compliance # Compare Microsoft Defender for Business (preview) to Microsoft 365 Business Premium |
| security | Get Defender Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md | +- m365-security-compliance # Get Microsoft Defender for Business (preview) |
| security | Mdb Configure Security Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Configure your security settings and policies in Microsoft Defender for Business (preview) |
| security | Mdb Create Edit Device Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-create-edit-device-groups.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Device groups in Microsoft Defender for Business (preview) |
| security | Mdb Get Started | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business |
| security | Mdb Manage Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Manage devices in Microsoft Defender for Business (preview) |
| security | Mdb Onboard Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Onboard devices to Microsoft Defender for Business (preview) |
| security | Mdb Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business |
| security | Mdb Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Microsoft Defender for Business (preview) requirements The following table lists the basic requirements to configure and use Microsoft | User accounts | User accounts are created<br/><br/>Microsoft Defender for Business (preview) licenses are assigned <br/><br/>To get help with this, see [Add users and assign licenses](../../admin/add-users/add-users.md). | | Permissions | To sign up for Microsoft Defender for Business (preview), you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned: <br/>- Security Reader<br/>- Security Admin<br/>- Global Admin<br/><br/>To learn more, see [Roles and permissions in Microsoft Defender for Business (preview)](mdb-roles-permissions.md). | | Browser requirements | Microsoft Edge or Google Chrome |-| Operating system | To manage devices in Microsoft Defender for Business (preview), your devices must be running Windows 10 Professional/Enterprise or later (with [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541)). <br/><br/>If you are already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), or if you are using a non-Microsoft device management solution, your devices must be running one of the [operating systems that are supported in Microsoft Defender for Endpoint](../defender-endpoint/minimum-requirements.md). | +| Operating system | To manage devices in Microsoft Defender for Business (preview), your devices must be running one of the following operating systems: <br/>- Windows 10 Business or later <br/>- Windows 10 Professional or later <br/>- Windows 10 Enterprise or later <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed. <br/><br/>If you are already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), or if you are using a non-Microsoft device management solution, your devices must be running one of the [operating systems that are supported in Microsoft Defender for Endpoint](../defender-endpoint/minimum-requirements.md). | | Integration with Microsoft Endpoint Manager | **During preview, you can onboard devices using a local script, which does not require integration with Microsoft Endpoint Manager**. But if you plan to onboard devices to Defender for Business (preview) manually by using downloadable packages for Microsoft Endpoint Manager, Group Policy, System Center Configuration Manager, or Mobile Device Management, then the following requirements must be met: <br/><br/>Devices must be running Windows 10 or 11 Professional/Enterprise (with [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) applied). <br/><br/>Prerequisites must be met for [Security Management for Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration).<br/>- Azure AD must be configured such that trust is created between your company's devices and Azure AD. <br/>- Defender for Business (preview) must have security management enabled in Microsoft Endpoint Manager.<br/><br/>Devices must be able to connect to the following URLs:<br/>- `enterpriseregistration.windows.net` (for registration in Azure AD)<br/>- `login.microsoftonline.com` (for registration in Azure AD)<br/>- `*.dm.microsoft.com` (The wildcard (*) supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and can change as the service scales.) | > [!NOTE] |
| security | Mdb Respond Mitigate Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Respond to and mitigate threats in Microsoft Defender for Business (preview) |
| security | Mdb Review Remediation Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-review-remediation-actions.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Review remediation actions in the Action center |
| security | Mdb Setup Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-setup-configuration.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # Set up and configure Microsoft Defender for Business (preview) |
| security | Mdb Simplified Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-simplified-configuration.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # The simplified configuration process in Microsoft Defender for Business (preview) |
| security | Mdb View Edit Create Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-edit-create-policies.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # View or edit policies in Microsoft Defender for Business (preview) |
| security | Mdb View Manage Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-manage-incidents.md | f1.keywords: NOCSH - SMB - M365-security-compliance+- m365initiative-defender-business # View and manage incidents in Microsoft Defender for Business (preview) |
| security | Configure Exclusions Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md | +- M365-security-compliance +- m365initiative-defender-endpoint # Configure and validate exclusions for Microsoft Defender Antivirus scans |
| security | Defender Endpoint Plan 1 2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md | ms.technology: mdep1 ms.localizationpriority: medium f1.keywords: NOCSH -++- M365-security-compliance +- m365initiative-defender-endpoint # Microsoft Defender for Endpoint Plan 1 and Plan 2 |
| security | Defender Endpoint Plan 1 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1.md | ms.technology: mdep1 ms.localizationpriority: medium f1.keywords: NOCSH-++- M365-security-compliance +- m365initiative-defender-endpoint To learn more, see [Control USB devices and removable media](control-usb-devices With web protection, you can protect your organizationΓÇÖs devices from web threats and unwanted content. Web protection includes web threat protection and web content filtering. - [Web threat protection](web-threat-protection.md) prevents access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that you explicitly block.-- [Web content filtering](web-content-filtering.md) (preview) prevents access to certain sites based on their category. Categories can include adult content, leisure sites, legal liability sites, and more.+- [Web content filtering](web-content-filtering.md) prevents access to certain sites based on their category. Categories can include adult content, leisure sites, legal liability sites, and more. To learn more, see [web protection](web-protection-overview.md). |
| security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | ms.technology: mde **Applies to:** - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +## 101.56.62 (30.121122.15662.0) ++- Fixed a product crash introduced in 101.53.02 and that has impacted multiple customers + ## 101.53.02 (30.121112.15302.0) - Performance improvements & bug fixes |
| security | Mac Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md | ms.technology: mde > [!NOTE] > Beginning in late January 2022, Microsoft Defender for Endpoint (formerly known as Microsoft Defender ATP) will be referenced as "Microsoft Defender" across end user facing MDE experiences on macOS. > -> This change is currently available in the Beta (previously called Insider Fast) and Preview (previously called Insider Slow) update channels. The minimum product version that includes this change is 101.54.24. -> -> End users will observe the following changes: -> - The application installation path has been changed from `/Application/Microsoft Defender ATP.app` to `/Applications/Microsoft Defender.app`. -> - Within the user experience, occurrences of "Microsoft Defender ATP" have been replaced with "Microsoft Defender" +> This change is currently available in the Beta (previously called Insider Fast) and Preview (previously called Insider Slow) update channels. The minimum product version that includes this change is 101.56.35. See the below release notes corresponding to this version for more information. > > This change does not impact the `mdatp` command-line tool. > > **Action required**: if your enterprise has custom configurations that rely on either the product name or application installation path, these configurations must be updated with the new values listed above. +## 101.56.35 (20.121121.15635.0) ++- The application has been renamed from "Microsoft Defender ATP" to "Microsoft Defender". End users will observe the following changes: + - The application installation path has been changed from `/Application/Microsoft Defender ATP.app` to `/Applications/Microsoft Defender.app`. + - Within the user experience, occurrences of "Microsoft Defender ATP" have been replaced with "Microsoft Defender" +- Resolved an issue where some VPN applications could not connect due to the network content filter that is distributed with Microsoft Defender for Endpoint for Mac +- Addressed an issue discovered in macOS 12.2 beta 2 where the installation package could not be opened due to a change in the operating system (OS) that prevents installation of packages with certain characteristics. While it appears that this OS change is not included in the final release of macOS 12.2, it is likely that it will be reintroduced in a future macOS version. As such, we encourage all enterprise administrators to refresh the Microsoft Defender for Endpoint package in their management console to this product version (or a newer version). +- Addressed an issue seen on some M1 devices where the product was stuck with invalid antimalware definitions and could not successfully update to a working set of definitions. +- `mdatp health` output has been extended with an additional attribute called `full_disk_access_enabled` that can be used to determine whether Full Disk Access has been granted to all components of Microsoft Defender for Endpoint for Mac. +- Performance improvements & bug fixes + ## 101.54.16 (20.121111.15416.0) - macOS 10.14 (Mojave) is no longer supported |
| security | Manage Mde Post Migration Configuration Manager | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager.md | ms.localizationpriority: medium audience: ITPro - - M365-security-compliance - - m365solution-scenario +- M365-security-compliance +- m365solution-scenario +- m365initiative-defender-endpoint Last updated 11/29/2021 |
| security | Manage Updates Baselines Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md | +- M365-security-compliance +- m365initiative-defender-endpoint # Manage Microsoft Defender Antivirus updates and apply baselines |
| security | Mde P1 Setup Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md | ms.technology: mdep1 ms.localizationpriority: medium f1.keywords: NOCSH-++- M365-security-compliance +- m365initiative-defender-endpoint # Set up and configure Microsoft Defender for Endpoint Plan 1 |
| security | Mde Plan1 Getting Started | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plan1-getting-started.md | ms.technology: mdep1 ms.localizationpriority: medium f1.keywords: NOCSH-++- M365-security-compliance +- m365initiative-defender-endpoint |
| security | Microsoft Defender Antivirus Compatibility | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md | +- M365-security-compliance +- m365initiative-defender-endpoint # Microsoft Defender Antivirus compatibility with other security products |
| security | Microsoft Defender Antivirus On Windows Server | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md | +- M365-security-compliance +- m365initiative-defender-endpoint # Microsoft Defender Antivirus on Windows Server In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Prot - On Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. -- On Windows Server, if you are running a non-Microsoft antivirus/antimalware solution, Microsoft Defender Antivirus does not go into either passive mode or disabled mode automatically. However, you can set Microsoft Defender Antivirus to passive or disabled mode manually.+- On Windows Server, if youΓÇÖre running a non-Microsoft antivirus/antimalware solution, Microsoft Defender Antivirus doesnΓÇÖt go into either passive mode or disabled mode automatically. However, you can set Microsoft Defender Antivirus to passive or disabled mode manually. ## Setting up Microsoft Defender Antivirus on Windows Server The process of setting up and running Microsoft Defender Antivirus on a server p ## Enable the user interface on Windows Server -By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default, but the GUI is not required. You can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default, but the GUI isnΓÇÖt required. You can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus. -If the GUI is not installed on your server, and you want to install it, either the **Add Roles and Features** wizard or PowerShell cmdlets. +If the GUI isnΓÇÖt installed on your server, and you want to install it, either the **Add Roles and Features** wizard or PowerShell cmdlets. > [!NOTE] > This option is not available for Windows Server 2012 R2. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages). To use PowerShell to install Microsoft Defender Antivirus, run the following cmd Install-WindowsFeature -Name Windows-Defender ``` -Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender AV Events](troubleshoot-microsoft-defender-antivirus.md). +Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender Antivirus Events](troubleshoot-microsoft-defender-antivirus.md). ## Verify Microsoft Defender Antivirus is running sc query Windefend The `sc query` command returns information about the Microsoft Defender Antivirus service. When Microsoft Defender Antivirus is running, the `STATE` value displays `RUNNING`. -To view all the services that are not running, run the following Powershell cmdlet: +To view all the services that arenΓÇÖt running, run the following PowerShell cmdlet: ```console sc query state= all sc query state= all To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. -By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2022, or Windows Server 2016. You can change this configuration by using one of the following methods: +By default, Windows Update doesnΓÇÖt download and install updates automatically on Windows Server 2019 or Windows Server 2022, or Windows Server 2016. You can change this configuration by using one of the following methods: <br/><br/> | Method | Description | |||-| **Windows Update** in Control Panel | **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/><br/> **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | +| **Windows Update** in Control Panel | **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/><br/> **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates arenΓÇÖt automatically installed. | | **Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |-| The **AUOptions** registry key | The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/><br/> **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/><br/> **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | +| The **AUOptions** registry key | The following two values allow Windows Update to automatically download and install Security intelligence updates: <br/><br/> **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates. <br/><br/> **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates arenΓÇÖt automatically installed. | To ensure that protection from malware is maintained, we recommend that you enable the following The following table lists the services for Microsoft Defender Antivirus and the ## Submit samples -Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files. +Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We donΓÇÖt collect files that contain personal data, like Microsoft Word documents and PDF files. ### Submit a file To enable automatic sample submission, start a Windows PowerShell console as an |Setting|Description| |||-| **0** - **Always prompt** | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019, or Windows Server 2022 without a GUI. | +| **0** - **Always prompt** | The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but isnΓÇÖt recommended for installations on Windows Server 2016 or 2019, or Windows Server 2022 without a GUI. | | **1** - **Send safe samples automatically** | The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |-| **2** - **Never send** | The Microsoft Defender Antivirus service does not prompt and does not send any files. | +| **2** - **Never send** | The Microsoft Defender Antivirus service doesnΓÇÖt prompt and doesnΓÇÖt send any files. | | **3** - **Send all samples automatically** | The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | > [!NOTE] See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](con ## Passive mode and Windows Server -If you are using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode. +If youΓÇÖre using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode. For more information, see [Install Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md#install-microsoft-defender-antivirus-on-windows-server). You can set Microsoft Defender Antivirus to passive mode by setting the followin 2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. - If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. + If you clear **Windows Defender** by itself under the **Windows Defender Features** section, youΓÇÖll be prompted to remove the interface option **GUI for Windows Defender**. - Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. + Microsoft Defender Antivirus will still run normally without the user interface, but the user interface canΓÇÖt be enabled if you disable the core **Windows Defender** feature. ### Turn off the Microsoft Defender Antivirus user interface using PowerShell Uninstall-WindowsFeature -Name Windows-Defender-GUI ### Are you using Windows Server 2012 R2 or Windows Server 2016? -You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and and Windows Server 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages). +You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and Windows Server 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages). <br/><br/> | Procedure | Description | ||| | Disable Microsoft Defender Antivirus using Group Policy | In your Local Group Policy Editor, navigate to **Administrative Template** > **Windows Component** > **Endpoint Protection** > **Disable Endpoint Protection**, and then select **Enabled** > **OK**. |-| Disable Microsoft Defender Antivirus using a registry key | To use the the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*). | +| Disable Microsoft Defender Antivirus using a registry key | To use the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*). | | Disable Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` | | Uninstall Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender` | |
| security | Microsoft Defender Antivirus Windows | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md | +- M365-security-compliance +- m365initiative-defender-endpoint # Microsoft Defender Antivirus in Windows |
| security | Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md | ms.technology: mde Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. > [!TIP]-> Soon, Microsoft Defender for Endpoint will be available in two plans. This article describes the features and capabilities that are included in Microsoft Defender for Endpoint Plan 2. [Learn more about Microsoft Defender for Endpoint Plan 1 (preview) and Plan 2](defender-endpoint-plan-1-2.md). +> Soon, Microsoft Defender for Endpoint will be available in two plans. This article describes the features and capabilities that are included in Microsoft Defender for Endpoint Plan 2. [Learn more about Microsoft Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md). > <p><p> |
| security | Minimum Requirements | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md | There are some minimum requirements for onboarding devices to the service. Learn > [!TIP] >-> - This article describes the minimum requirements for Microsoft Defender for Endpoint Plan 2. If you are looking for information about Defender for Endpoint Plan 1 (preview), see [Requirements for Defender for Endpoint Plan 1 (preview)](mde-p1-setup-configuration.md#review-the-requirements). +> - This article describes the minimum requirements for Microsoft Defender for Endpoint Plan 2. If you are looking for information about Defender for Endpoint Plan 1, see [Requirements for Defender for Endpoint Plan 1](mde-p1-setup-configuration.md#review-the-requirements). > - Learn about the latest enhancements in Defender for Endpoint: [Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). > - Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
| security | Next Generation Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md | Microsoft Defender for Endpoint includes next-generation protection to reinforce - [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date. > [!TIP]-> Next-generation protection is included in both Microsoft Defender for Endpoint Plan 1 (preview) and Plan 2. [Learn more about Defender for Endpoint Plan 1 (preview) and Plan 2](defender-endpoint-plan-1-2.md) +> Next-generation protection is included in both Microsoft Defender for Endpoint Plan 1 and Plan 2. [Learn more about Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md) ## Try a demo! |
| security | Prevent Changes To Security Settings With Tamper Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md | +- M365-security-compliance +- m365initiative-defender-endpoint # Protect security settings with tamper protection |
| security | Respond File Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md | If you come across a problem when trying to submit a file, try each of the follo - [Take response actions on a device](respond-machine-alerts.md) - [Investigate files](investigate-files.md)-- [Manual response actions in Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md#manual-response-actions)+- [Manual response actions in Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md#manual-response-actions) |
| security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | All other related details are also shown, for example, submission date/time, sub ## See also - [Take response actions on a file](respond-file-alerts.md)-- [Manual response actions in Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md#manual-response-actions)+- [Manual response actions in Microsoft Defender for Endpoint Plan 1](defender-endpoint-plan-1.md#manual-response-actions) - [Report inaccuracy](/microsoft-365/security/defender-endpoint/tvm-security-recommendation#report-inaccuracy) |
| security | Switch To Mde Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md | ms.localizationpriority: medium audience: ITPro - - M365-security-compliance - - m365solution-migratetomdatp - - m365solution-overview - - m365solution-mcafeemigrate - - m365solution-symantecmigrate -+- M365-security-compliance +- m365solution-migratetomdatp +- m365solution-overview +- m365solution-mcafeemigrate +- m365solution-symantecmigrate +- m365initiative-defender-endpoint + Last updated 11/29/2021 |
| security | Troubleshoot Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md | Microsoft Defender Antivirus scanning for viruses is disabled. </td> </tr> <tr>+<th colspan="2">Event ID: 5013</th> +</tr> +<tr><td> +Symbolic name: +</td> +<td > +<b> +</b> +</td> +</tr> +<tr> +<td> +Message: +</td> +<td > +<b>Tamper protection blocked a change to Microsoft Defender Antivirus. +</b> +</td> +</tr> +<tr> +<td> +Description: +</td> +<td > +If Tamper protection is enabled then, any attempt to change any of DefenderΓÇÖs settings if blocked and Event ID 5013 is generated that states which setting change was blocked. +</td> +</tr> +<tr> <th colspan="2">Event ID: 5100</th> </tr> <tr><td> |
| security | Why Cloud Protection Should Be On Mdav | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav.md | +- m365-security-compliance +- m365initiative-defender-endpoint # Why cloud protection should be enabled for Microsoft Defender Antivirus The following table summarizes the features and capabilities that depend on clou | Indicators of compromise (IoCs) | Microsoft Defender for Endpoint Plan 2 (Standalone or included in a plan like Microsoft 365 E5) | IoCs in Defender for Endpoint can be configured to define the detection, prevention, and exclusion of entities. For example, "allow" indicators can be used to define exceptions to Microsoft Defender Antivirus scans and remediation actions in Defender for Endpoint. As another example, "alert and block" indicators can be used to prevent files or processes from executing, and to track these activities with alerts that are viewable in the Microsoft 365 Defender portal. <br/><br/>To learn more, see [Create indicators](manage-indicators.md). | > [!TIP]-> To learn more about Defender for Endpoint plans, see [Microsoft Defender for Endpoint Plan 1 (preview) and Plan 2](defender-endpoint-plan-1-2.md). +> To learn more about Defender for Endpoint plans, see [Microsoft Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md). ## Next steps |
| security | Incident Response Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-response-overview.md | audience: ITPro - M365-security-compliance - m365initiative-m365-defender+ - m365solution-incidentresponse + - m365solution-scenario + - m365solution-overview search.appverid: - MOE150 |
| security | M365d Permissions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-permissions.md | ms.technology: m365d **Applies to:** - Microsoft 365 Defender -There are two ways to manage access to Microsoft 365 Defender +There are two ways to manage access to Microsoft 365 Defender: - **Global Azure Active Directory (AD) roles** - **Custom role access** |
| security | Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md | audience: ITPro - M365-security-compliance - m365initiative-m365-defender+ - m365solution-m365-defender + - m365solution-scenario + - m365solution-overview - admindeeplinkDEFENDER - intro-overview |
| security | Identity Access Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md | ms.technology: mdo # Common Zero Trust identity and device access policies -**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- Azure- This article describes the common recommended Zero Trust identity and device access policies for securing access to Microsoft 365 cloud services, including on-premises applications published with Azure Active Directory (Azure AD) Application Proxy. This guidance discusses how to deploy the recommended policies in a newly-provisioned environment. Setting up these policies in a separate lab environment allows you to understand and evaluate the recommended policies before staging the rollout to your preproduction and production environments. Your newly provisioned environment can be cloud-only or hybrid to reflect your evaluation needs. |
| security | Identity Access Prerequisites | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md | ms.technology: mdo # Prerequisite work for implementing Zero Trust identity and device access policies -**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- Azure- This article describes the prerequisites admins must meet to use recommended Zero Trust identity and device access policies, and to use Conditional Access. It also discusses the recommended defaults for configuring client platforms for the best single sign-on (SSO) experience. ## Prerequisites |
| security | Microsoft 365 Continuous Access Evaluation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-continuous-access-evaluation.md | ms.technology: mdo # Continuous access evaluation for Microsoft 365 -**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)- Modern cloud services that use OAuth 2.0 for authentication traditionally rely on access token expiration to revoke a user accountΓÇÖs access. In practice, this means even if an administrator revokes a user accountΓÇÖs access, the user will still have access until the access token expires, which for Microsoft 365 by default, used to be up to an hour after the initial revocation event took place. Conditional access evaluation for Microsoft 365 and Azure Active Directory (Azure AD) proactively terminates active user sessions and enforces tenant policy changes in near real time instead of relying on access token expiration. Azure AD notifies continuous access evaluation-enabled Microsoft 365 services (such as SharePoint, Teams, and Exchange) when the user account or tenant has changed in a way that requires reevaluation of the user accountΓÇÖs authentication state. |
| security | Microsoft 365 Policies Configurations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md | ms.technology: mdo # Zero Trust identity and device access configurations -**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)--<!-- -The modern security perimeter of your organization now extends beyond your network to include users accessing cloud-based apps from any location with a variety of devices. Your security infrastructure needs to determine whether a given access request should be granted and under what conditions. --This determination should be based on the user account of the sign-in, the device being used, the app the user is using for access, the location from which the access request is made, and an assessment of the risk of the request. This capability helps ensure that only approved users and devices can access your critical resources. -> - Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to an organizationΓÇÖs technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries. To address this new world of computing, Microsoft highly recommends the Zero Trust security model, which is based on these guiding principles: |
| security | Permissions In The Security And Compliance Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md | To see how to grant access to the Security & Compliance Center, check out [Give |**Knowledge Administrators**|Configure knowledge, learning, assign trainings and other intelligent features.|Knowledge Admin| |**MailFlow Administrator**|Members can monitor and view mail flow insights and reports in the Security & Compliance Center. Global admins can add ordinary users to this group, but, if the user isn't a member of the Exchange Admin group, the user will not have access to Exchange admin-related tasks.|View-Only Recipients| |**Organization Management**<sup>1</sup>|Members can control permissions for accessing features in the Security & Compliance Center, and also manage settings for device management, data loss prevention, reports, and preservation. <p> Users who are not global administrators must be Exchange administrators to see and take action on devices that are managed by Basic Mobility and Security for Microsoft 365 (formerly known as Mobile Device Management or MDM). <p> Global admins are automatically added as members of this role group.|Audit Logs <p> Case Management <p> Communication Compliance Admin <p> Communication Compliance Case Management <p> Compliance Administrator <p> Compliance Search <p> Device Management <p> DLP Compliance Management <p> Hold <p> IB Compliance Management <p> Insider Risk Management Admin <p> Manage Alerts <p> Organization Configuration <p> Quarantine <p> RecordManagement <p> Retention Management <p> Role Management <p> Search And Purge <p> Security Administrator <p> Security Reader <p> Sensitivity Label Administrator <p> Sensitivity Label Reader <p> Service Assurance View <p> Tag Contributor <p> Tag Manager <p> Tag Reader <p> View-Only Audit Logs <p> View-Only Device Management <p> View-Only DLP Compliance Management <p> View-Only IB Compliance Management <p> View-Only Case <p> View-Only Manage Alerts <p> View-Only Recipients <p> View-Only Record Management <p> View-Only Retention Management|-|**Privacy Management**|Manage access control for Privacy Management in the Microsoft 365 compliance center.|Case Management <p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case| +|**Privacy Management**|Manage access control for Priva in the Microsoft 365 compliance center.|Case Management <p> Data Classification Content Viewer <p> Data Classification List Viewer <p> Privacy Management Admin <p> Privacy Management Analysis <p> Privacy Management Investigation <p> Privacy Management Permanent contribution <p> Privacy Management Temporary contribution <p> Privacy Management Viewer <p> Subject Rights Request Admin <p> View-Only Case| |**Privacy Management Administrators**|Administrators of privacy management solution that can create/edit policies and define global settings.|Case Management <p> Privacy Management Admin <p> View-Only Case| |**Privacy Management Analysts**|Analysts of privacy management solution that can investigate policy matches, view messages meta data, and take remediation actions.|Case Management <p> Data Classification List Viewer <p> Privacy Management Analysis <p> View-Only Case| |**Privacy Management Contributors**|Manage contributor access for privacy management cases.|Privacy Management Permanent contribution <p> Privacy Management Temporary contribution| |
| security | Secure Email Recommended Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md | ms.technology: mdo # Policy recommendations for securing email -**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)- This article describes how to implement the recommended Zero Trust identity and device access policies to protect organizational email and email clients that support modern authentication and conditional access. This guidance builds on the [Common identity and device access policies](identity-access-policies.md) and also includes a few additional recommendations. These recommendations are based on three different tiers of security and protection that can be applied based on the granularity of your needs: **starting point**, **enterprise**, and **specialized security**. You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in the [recommended security policies and configurations introduction](microsoft-365-policies-configurations.md). |
| security | Sharepoint File Access Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md | ms.technology: mdo # Policy recommendations for securing SharePoint sites and files -**Applies to** -- [Exchange Online Protection](exchange-online-protection-overview.md)-- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)-- SharePoint Online -- This article describes how to implement the recommended Zero Trust identity and device access policies to protect SharePoint and OneDrive for Business. This guidance builds on the [common identity and device access policies](identity-access-policies.md). These recommendations are based on three different tiers of security and protection for SharePoint files that can be applied based on the granularity of your needs: **starting point**, **enterprise**, and **specialized security**. You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in [the overview](microsoft-365-policies-configurations.md). |